Solved: Problem to open web application over VPN site-to-site ASA, port 80 is open

Floriano de Souza · ‎04-18-2019

Hello Guys,

I need a help here.

I never had this type of problem, maybe someone can help me to solv this problem.

I have an VPN site to site between RV320 and my cisco ASA.

I can ping the both sites, i can see that the port 80 is open, but i cant open my web application.

I try put an PHP page for test and it works fine.

I already try change my cisco ASA for Two RV320, and two Meraki MX64, and i have sucess to access my web application.

So the problem is in my concentrator ASA.

Follow the scenario:

Customer ------------RV320 ----------===Internet===-----------ASA-------------Web server

Customer IP: 192.168.13.30

Web server IP: 10.160.3.130

asa5520-frw/customer# sh crypto ipsec sa detail
interface: outside
Crypto map tag: sitecustomer, seq num: 2, local addr: 177.X.X.X

access-list l2l_plu-con_net extended permit ip 10.160.3.0 255.255.255.0 192.168.13.0 255.255.255.0
local ident (addr/mask/prot/port): (10.160.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
current_peer: 177.X.X.X

#pkts encaps: 4242, #pkts encrypt: 4242, #pkts digest: 4242
#pkts decaps: 4219, #pkts decrypt: 4219, #pkts verify: 4219
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4242, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 177.X.X.X/0, remote crypto endpt.: 177.X.X.X/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0D26E0B5
current inbound spi : 24D543B0

inbound esp sas:
spi: 0x24D543B0 (617956272)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2510848, crypto-map: sitecustomer
sa timing: remaining key lifetime (sec): 28765
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000003 0xFFFFFFFF
outbound esp sas:
spi: 0x0D26E0B5 (220651701)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }

I see in the side ASA some tcp retransmissions and tcp dup ack, but i dont have sure that is the problem, because i dont see error in the command above.

22 3.425484 10.160.3.130 192.168.13.30 TCP 63 [TCP Retransmission] 80 → 58722 [PSH, ACK] Seq=1407 Ack=1455 Win=32512 Len=5 80 58722 Cisco_73:01:56 Cisco_73:01:56

23 3.427712 192.168.13.30 10.160.3.130 TCP 70 [TCP Dup ACK 18#1] 58722 → 80 [ACK] Seq=1455 Ack=912 Win=65868 Len=0 SLE=1407 SRE=1412 58722 80 a2:76:1e:00:00:38 a2:76:1e:00:00:38

24 3.437309 10.160.3.130 192.168.13.30 TCP 553 [TCP Retransmission] 80 → 58722 [PSH, ACK] Seq=912 Ack=1455 Win=32512 Len=495 80 58722 Cisco_73:01:56 Cisco_73:01:56

25 3.682420 10.160.3.130 192.168.13.30 TCP 553 [TCP Retransmission] 80 → 58722 [PSH, ACK] Seq=912 Ack=1455 Win=32512 Len=495 80 58722 Cisco_73:01:56 Cisco_73:01:56

Best Regards.

Floriano de Souza · ‎04-18-2019

Hi People,

I discovered what was the problem.

I tryied activate another equipment in my DMZ, and i notice that my ip address from the interface outside from ASA, dont have the liberation from this ip to the internet in my BGP, just i haved the liberation from internet to this ip.

I dont know how this work until now, but this resolv my problem.

Thank you guys.

Best Regards.

View solution in original post

Floriano de Souza · ‎04-18-2019

Follow The configuration in my cisco ASA.

asa5520-frw/customer# sh run

interface outside
nameif outside
security-level 0
ip address 177.X.X.X 255.255.255.224
!
interface inside
nameif inside
security-level 100
ip address 10.160.0.11 255.255.255.0
!
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.160.3.11
name-server 10.160.3.12
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network server-internet
subnet 10.160.3.0 255.255.255.0
object network plu-Bellos_net
subnet 192.168.13.0 255.255.255.0

access-list l2l_plu-con_net extended permit ip 10.160.3.0 255.255.255.0 192.168.13.0 255.255.255.0

mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server-internet server-internet destination static plu-Bellos_net plu-Bellos_net
!

route outside 0.0.0.0 0.0.0.0 177.X.X.X 1
route inside 10.0.0.0 255.0.0.0 10.160.0.1 1
route inside 172.16.0.0 255.240.0.0 10.160.0.1 1
route inside 192.168.0.0 255.255.0.0 10.160.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 65535 set pfs group5
crypto dynamic-map outside_dyn_map 65535 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 65535 set security-association lifetime kilobytes unlimited
crypto map sitecustomer 2 match address l2l_plu-con_net
crypto map sitecustomer 2 set peer 177.X.X.X
crypto map sitecustomer 2 set ikev1 transform-set ESP-3DES-SHA
crypto map sitecustomer 2 set security-association lifetime seconds 28800
crypto map sitecustomer 2 set security-association lifetime kilobytes unlimited
crypto map sitecustomer 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map sitecustomer interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 1800

no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 177.X.X.X type ipsec-l2l
tunnel-group 177.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5

!
class-map inspection_default
match default-inspection-traffic
class-map statebypass
match access-list statebypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
inspect icmp error
policy-map statebypass
class statebypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy statebypass interface inside
Cryptochecksum:a6d8fb513137eebf0b2634c3dbc10ded
: end

Floriano de Souza · ‎04-18-2019

Follow the capture from the ASA Side

Follow the capture from the Customer side

Floriano de Souza · ‎04-18-2019

Hi People,

I discovered what was the problem.

I tryied activate another equipment in my DMZ, and i notice that my ip address from the interface outside from ASA, dont have the liberation from this ip to the internet in my BGP, just i haved the liberation from internet to this ip.

I dont know how this work until now, but this resolv my problem.

Thank you guys.

Best Regards.