Issue with Crypto Access-List

amit.rane · ‎05-16-2012

Hello All,

I am facing weired problem with one of our VPN tunnel. We have around 10 tunnels configured in our ASA 5520. Specific hosts are allowed in interesting traffic from both the end and are able to ping each other. But unable to telnet on some specific ports TCP/3389, TCP/53, TCP/389, TCP/445 etc. I have tried by giving IP access to crypto access-list but had no luck.

Issue got resolved after applying normal port based access-list on inside interface, which means access is working through normal access-list instead of crypto access-list. Wherein for other tunnels we have not applied any access-list on inside interface but still they are working fine.

What could be the issue? Are these ports require special access? Our OS version is 8.3(2) in which we do not required NAT 0 command for VPN tunnel.

Quick turnaround will be much appriciated.

Thanks in advance.

Amit.

Shone_Aleksey · ‎05-16-2012

Hello, Amit.

Seems need add inspection trafic for

TCP/3389, TCP/53, TCP/389, TCP/445.

ASA(config)#policy-map global_policy

ASA(config-pmap)#class inspection_default

ASA(config-pmap-c)#inspect dns

ASA(config-pmap-c)#inspect ils

...

THT

amit.rane · ‎05-16-2012

Shone,

Thanks for your reply. I have tried by enabling ils (tcp/389) port but still unable to telnet after removing access-list on inside interface. Also is there any way i can modify default globlal_policy?

Regards,

Amit.

Shone_Aleksey · ‎05-17-2012

Hi, Amit.

For inspecting your trafic, in global_policy follow this template:

class-map MYPORT

match port tcp eq

policy-map global_policy

class MYPORT

inspect MYPORT

p.s.

policy-map global_policy must already exist and "service-policy global_policy global" command present in config.

HTH