cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
0
Helpful
8
Replies

Tunnel comes up the syn packets denied on inbound interface

kevinhobson2000
Level 1
Level 1

Hi all,

I have a issue with a ASA site to site VPN.

The Phase 1 and 2 negotiate fine but then when i see a syn initiated for the SFTP i see the syn denied in the logs even though it is allowed through.

I have changed the addresses in the config as a example the src is 1.1.1.1 and the dest 2.2.2.2.  Config below:

access-list inside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 222

!

access-list SFTP extended permit tcp host 1.1.1.1 host 2.2.2.2

!

crypto map outside_map 50 match address SFTP

crypto map outside_map 50 set pfs group5

crypto map outside_map 50 set peer VPN_GW

crypto map outside_map 50 set transform-set ESP-AES-256-SHA

crypto map outside_map 50 set security-association lifetime seconds 3600

crypto map outside_map 50 set security-association lifetime kilobytes 4608000

crypto map outside_map 50 set nat-t-disable

The phase 1 and phase 2 seem to negotiate fine.

But i get no encryption/decryption on a sh crypto ipsec sa.

Also i see the syn on the inside interface being denied from source 1.1.1.1.

So what appears to be happening is the initial packets are allowed through to setup the tunnel but then the additional packets appear to be denied.

Any help appreciated.

Thanks

Kev

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Your crypto ACL uses "TCP" instead of "IP", do you also have "TCP" on the remote end crypto ACL?

If you are seeing denied on the SYN packet, that means there could be an access-list that might be blocking the access.

Can you check if there is any "deny" access-list on top of your "inside_access_in" line above that might be blocking the traffic?

Hi Jennifer,

Thanks for the reply.

I have put the permit line at the top (line 1).

I will ask the other end if they are using ip or tcp.

Thanks

Kev

Hi Jenifer,

They havent come back to me.

But ive changed the it from TCP to IP in the ACL and theres still no joy.

Turns out its natted as well.

So im no natting it but the tunnel comes up whether i NAT or not.

Just cant get packets actually down the tunnel.

Might it need a route even though there is a default one configured?

I wouldnt have though so.

Is there a debug that will show why the packets are being dropped once the tunnel is up?

Cheers

Kev

Apart from SFTP, have you tried other protocols (ping perhaps) and see if it's working?

Just want to see if it's only SFTP that fails, or everything else fails as well.

Can you share the output of :

show cry isa sa

show cry ipsec sa

You don't need route if there is no overlapping route or route with larger mask. If you have route with larger mask configured then you need to configure the more specific route.

Can you share the full config pls..

Morning Jennifer,

Thanks for your continued assistance with this.

Going through the config i see vpn-filter 10 applied under:

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter value 10

This is tied to ACL 10 which doesnt appear to have the public ip for this in.

This looks like a likey candidate to me.

Config below:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.31 12:56:34 =~=~=~=~=~=~=~=~=~=~=~=

sh run

: Saved

:

ASA Version 7.0(8)

!

hostname FW

domain-name default.domain.invalid

enable password Wh3rCbG41fzpd0M. encrypted

passwd YYrn5ri6t.SCggWC encrypted

names

name 195.11.205.145 EXT_IP1

name 80.169.148.99 EXT_IP3

name 80.169.148.98 EXT_IP2

name 155.136.89.20 Coutts_Gateway_VPN

name 80.169.148.112 S21_Test_VPN

name 155.136.150.115 Coutts_Host_VPN

name 80.169.148.114 EXT_IP5

name 80.168.148.96 S21_Range

name 80.169.148.100 EXT_IP6

name 59.154.30.158 EXT_IP7

name 195.166.102.62 EXT_IP4

name 193.8.50.231 Coutts_Gateway_VPN_Switz

dns-guard

!

interface Ethernet0/0

description Outside interface 0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 80.169.124.4 255.255.255.224

!

interface Ethernet0/1

description Inside interface 0/1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.0.0

!

interface Ethernet0/2

description DMZ interface 0/2

nameif dmz

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

object-group service TCP_Port_Group tcp

port-object eq smtp

port-object range ftp-data ftp

port-object eq 123

port-object eq www

port-object eq https

port-object eq domain

port-object eq ftp-data

port-object eq ftp

port-object eq 3389

port-object eq ssh

object-group service UDP_Port_Group udp

port-object eq ntp

port-object eq 21

port-object eq 20

port-object eq domain

object-group network Trusted_Ext_Hosts

network-object EXT_IP1 255.255.255.255

network-object EXT_IP2 255.255.255.255

network-object EXT_IP3 255.255.255.255

network-object EXT_IP4 255.255.255.255

network-object EXT_IP5 255.255.255.255

network-object EXT_IP6 255.255.255.255

network-object EXT_IP7 255.255.255.255

object-group service www_services tcp

port-object eq www

port-object eq https

object-group service TCP_CSG tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq 1080

port-object eq citrix-ica

object-group network Trusted_Ext_Hosts_ref

network-object EXT_IP1 255.255.255.255

network-object EXT_IP2 255.255.255.255

network-object EXT_IP3 255.255.255.255

network-object EXT_IP4 255.255.255.255

network-object EXT_IP5 255.255.255.255

network-object EXT_IP6 255.255.255.255

object-group network S21_Range

network-object S21_Range 255.255.255.224

access-list inside_access_in extended permit tcp 192.168.100.0 255.255.255.0 any object-group TCP_Port_Group

access-list inside_access_in extended permit udp 192.168.100.0 255.255.255.0 any object-group UDP_Port_Group

access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 any

access-list dmz_access_in extended permit tcp host 10.10.10.5 192.168.0.0 255.255.0.0 object-group TCP_CSG

access-list dmz_access_in extended permit tcp host 10.10.10.5 any object-group TCP_Port_Group

access-list dmz_access_in extended permit udp host 10.10.10.5 any object-group UDP_Port_Group

access-list dmz_access_in extended permit tcp host 10.10.10.7 192.168.0.0 255.255.0.0 object-group TCP_CSG

access-list dmz_access_in extended permit tcp host 10.10.10.7 any object-group TCP_Port_Group

access-list dmz_access_in extended permit udp host 10.10.10.7 any object-group UDP_Port_Group

access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any host 80.169.124.36 eq www

access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.35 object-group www_services

access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.37 object-group www_services

access-list outside_access_in extended deny ip any any

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host 193.8.50.180

access-list inside_access_out extended permit tcp object-group Trusted_Ext_Hosts_ref 192.168.0.0 255.255.0.0 eq 3389

access-list inside_access_out extended permit tcp any host 192.168.100.24 eq www

access-list inside_access_out extended permit tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0 object-group TCP_CSG

access-list inside_access_out extended deny ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list outside_cryptomap_30 extended permit ip host 80.169.124.35 155.136.30.0 255.255.254.0

access-list outside_cryptomap_30 extended permit ip host 80.169.124.37 155.136.30.0 255.255.254.0

access-list 10 extended permit tcp any host 80.169.124.35 object-group www_services

access-list 10 extended permit tcp any host 10.10.10.5 object-group www_services

access-list 10 extended permit tcp any host 80.169.124.37 object-group www_services

access-list 10 extended permit tcp any host 10.10.10.7 object-group www_services

access-list COUTTS_SWITZ_SFTP extended permit tcp 192.168.100.0 255.255.255.0 host 193.8.50.180 eq ssh

access-list outside_cryptomap_40 extended permit ip host 80.169.124.35 155.136.0.0 255.255.0.0

access-list outside_cryptomap_40 extended permit ip host 80.169.124.37 155.136.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface Failover Ethernet0/3

failover polltime interface 10

failover key *****

failover link Failover Ethernet0/3

failover interface ip Failover 172.16.31.249 255.255.255.248 standby 172.16.31.250

no monitor-interface management

icmp permit any outside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

global (outside) 20 80.169.124.32

global (dmz) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 20 192.168.0.0 255.255.0.0

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 20 10.10.10.0 255.255.255.0

nat (dmz) 10 0.0.0.0 0.0.0.0

static (inside,outside) 80.169.124.33 192.168.100.11 netmask 255.255.255.255

static (inside,outside) 80.169.124.34 192.168.100.21 netmask 255.255.255.255

static (dmz,outside) 80.169.124.35 10.10.10.5 netmask 255.255.255.255

static (inside,outside) 80.169.124.36 192.168.100.24 netmask 255.255.255.255

static (dmz,outside) 80.169.124.37 10.10.10.7 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 80.169.124.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter value 10

vpn-tunnel-protocol IPSec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

webvpn

  functions none

  port-forward-name value Application Access

username Admin password 5VZ2yiLE0W2kEsod encrypted privilege 15

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set peer 155.136.17.70

crypto map outside_map 30 set transform-set ESP-AES-256-SHA

crypto map outside_map 30 set security-association lifetime seconds 28800

crypto map outside_map 30 set security-association lifetime kilobytes 4608000

crypto map outside_map 30 set nat-t-disable

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer Coutts_Gateway_VPN

crypto map outside_map 40 set transform-set ESP-AES-256-SHA

crypto map outside_map 40 set security-association lifetime seconds 3600

crypto map outside_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 40 set nat-t-disable

crypto map outside_map 50 match address COUTTS_SWITZ_SFTP

crypto map outside_map 50 set pfs group5

crypto map outside_map 50 set peer Coutts_Gateway_VPN_Switz

crypto map outside_map 50 set transform-set ESP-AES-256-SHA

crypto map outside_map 50 set security-association lifetime seconds 3600

crypto map outside_map 50 set security-association lifetime kilobytes 4608000

crypto map outside_map 50 set nat-t-disable

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption aes-256

isakmp policy 50 hash sha

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

tunnel-group 155.136.17.70 type ipsec-l2l

tunnel-group 155.136.17.70 ipsec-attributes

pre-shared-key *

tunnel-group 155.136.89.20 type ipsec-l2l

tunnel-group 155.136.89.20 ipsec-attributes

pre-shared-key *

tunnel-group 193.8.50.231 type ipsec-l2l

tunnel-group 193.8.50.231 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 10

dhcpd lease 3600

dhcpd ping_timeout 50

ntp server 193.228.143.13 source outside

Cryptochecksum:87a0c89dced7eb36d9a9b2854eea3b95

: end

FW#

Cheers

Hi Jen,

I just added it to the filter and tested.

Im getting encryption now but no decryption so over to them.

Thanks for your help.

Cheers

Kev

Good catch!!!

Crypto ACL should really be without protocol and port, so yours should say:

access-list COUTTS_SWITZ_SFTP extended permit ip 192.168.100.0 255.255.255.0 host 193.8.50.180

Then clear the tunnel: "clear cry ipsec sa" and "clear cry isa sa"

And also, do you mean SSH or SFTP?

SSH default port is TCP/22, and SFTP default port is 115

Then you would need to modify your ACL "inside_access_in" accordingly. I am also assuming that your connection is initiated from this ASA that you post the config?

Lastly, VPN filter acl 10 is not the culprit as that applies to IPSec VPN Client, not site-to-site IPSec VPN --> Ahh, forgot that your software is 7.0, as in the newer version there is separate default policy for IPSec VPN Client and Site-to-Site IPSec VPN

Message was edited by: Jennifer Halim