thankx for u r reply.

          I wll check  the links u posted but i want to tell what exactly problem is...

         In my company many microsoft dotnet applicaions are running.We

         provide sms service on all tv channels(national and international) by using some

         Client vpns and only one Site to site vpn. All the traffic is passing through

         ASA5510.We have problem with site to site vpn becoz the sms coming through

        site to site vpn  stops(incoming and outgoing),vpn is up and vpn is in between sonic wall(local site)

          and check point(remote site),if i put the command on ASA5510

          access-list 111 extended permit ip any any

          then sms starts working fine but this is not the solution becoz its allowing  any IP .

          I dont understand which perticular ip or port i have to allow through ASA .

           I tried by removing the ip any any command and putting some ports and ips

            but problem is not solved.

       kindly help this is very urgent issue.

                                  If any one want config of ASA i wll post it.

can you please brief us on how exactly the asa is coming in picture, bcoz you said the tunnle is between sonicwall and

checkpoint.

so if it is only the vpn traffic that you want to allow on the asa then use the access-list

permit esp any any -------> now this is assuming that asa is in between sonicwall and checkpoint

if asa is anywhere else you can just use the access-list defining the private networks

I might not have understood your requirement, so please if this is not what you are looking for then please elaborate on the topology and networks

Thankx for u r reply.

My network is like

       Sonicwall----------Asa5510--------ISP----------------Checkpoint

     ((local)my company network)                          Remote  network.

Site to Site VPN   Tunnel is in between Sonicwall and checkpoint

passing through ASA5510.

Site to Site VPN Tunnel line is  up but ASA is blocking only the sms of

Site to Site VPN(between Sonicwall and Checkpoint ).

I also tried by using the command

access-list xx extended permit ip 192.168.12.0 255.255.255.0 72.231.238.194 255.255.255.224

tunnel traffic is 192.16812.0---------------------72.231.231.194

access-list  xx permit esp any any

but problem is not solved. 

correct me if i am wrong,

from what i understand your asa should see only encrypted packets between the soincwall and checkpoint, so it really does not matter what the traffic is because it will be encrypted.

so may be you are not encrypting the sms traffic

also where exactly did you apply the permit ip any any acl which allowed the sms, also where have you applied the esp any any

Encrypted packets between the soincwall and checkpoint is only  the sms traffic

coming from checkpoint to sonicwall.

sh run

ASA5510(config)# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ASA5510

names
!
interface Ethernet0/0
speed 10
nameif OUTSIDE
security-level 0
ip address 213.x.x.154 255.255.255.252
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.10.12 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address

interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS

access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 1433
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 5632
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq pcanywhere-data
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq www
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 8080

access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq telnet
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq ssh
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 range ftp-data ftp

access-list 104 extended permit ip 192.168.12.0 255.255.255.0 72.231.238.194 255.255.255.224 //vpn tunnel  traffic

access-list 104 extended permit ip any any //----ip any any

access-list 104 extended permit esp any any //---esp any any

pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 213.x..x..87 192.168.10.1 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..88 192.168.10.2 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..89 192.168.10.3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..90 192.168.10.5 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..91 192.168.10.6 netmask 255.255.255.255

static (INSIDE,OUTSIDE) 213.x..x..92 192.168.10.7 netmask 255.255.255.255

note:(sonic wall ip add 192.168.10.7 natted with 213.x.x.92)

static (INSIDE,OUTSIDE) 213.x..x..93 192.168.10.8 netmask 255.255.255.255

access-group 104 in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 213.x.x.153 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.10.0 255.255.255.0 INSIDE
telnet timeout 5

threat-detection basic-threat

threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c6372164a475c9d0aca756edf9bdb215
: end

oh your firewall is natting here, so may be the tunnel is negotiated on 4500

permit udp 4500 port in the access-list

udp any any will do for testing

Sorry for the delay reply.

when i put commands

access-list 104 extended permit udp any 213.x..x.96 255.255.255.240 eq 4500

access-lists 104 permit udp any any

for some time like 30 r 40 min its working fine receiving and sending  sms.

after that same problem (sms stops).

hmmmmm that is weird

can you apply some captures on the inside and outside interface of asa and confirm that we are seeing the packets come to asa

also do you see any log entries which say that packtes are being dropped on asa

this link will be helpful to collect the same

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s1

ASA5510# sh logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level debugging, 11 messages logged

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: disabled

%ASA-4-106023: Deny protocol 50 src   OUTSIDE:62.x.x.6 dst INSIDE:213.x.x.104

by access-group "104" [0x0, 0x0]

UDP request discarded from 192.168.10.100/137 to

INSIDE:192.168.10.255/137

%ASA-4-106023: Deny protocol 50 src OUTSIDE:62.x.x.6dst INSIDE:E:213.x.x.104

by access-group "104" [0x0, 0x0]

%ASA-6-302014: Teardown TCP connection 1028 for

OUTSIDE:195.229.249.53/27752 to   INSIDE:192.168.10.11/1531

duration 0:00:30 bytes 0 SYN Timeout

Note:  ASA blocking the protocol 50 but when i allowed  it no difference

problem is as it is.  62.x.x.6 -----remote peer and 213.x.x.204 is local peer.

can you please use the link that i had sent in my last post and apply captures on both inside and outside and see if

• firewall is getting the packet
• firewall is sending it out

Hi jathaval,

                Thankx alot for u r help.

When i put the following commands

  access-listes 104 extended permit tcp any 213.x.x.x 255.255.255.x eq 50

  access-list 104 extended permit udp any 213.x.x.x 255.255.255.x eq 50

   access-list 104 extended permit esp any any

   access-list 104 extended permit gre any any

  no access-lists 104 extended permit ip any any

Now every thing is fine.sms are coming.

but i think no need to allow esp,gre,ah and port50 so many protocol.

anyway i just kept on monitoring for some time after that i wll remove unwanted ports

protocol.

Pls find attahed file of traces inside interface and  outside interface of ASA.

vpn local peer = 213.32.222.44

vpn remote = 62.x.x.6.

172.16.10.7 = sonic wall outside interface nated with 213.32.222.44

Message was edited by: munnawer khan

Pls check the last post u wll find inside,outside interface traces

in a attahed file.