09-11-2012 01:24 AM
Hi all,
I have a issue with a ASA site to site VPN.
The Phase 1 and 2 negotiate fine but then when i see a syn initiated for the SFTP i see the syn denied in the logs even though it is allowed through.
I have changed the addresses in the config as a example the src is 1.1.1.1 and the dest 2.2.2.2. Config below:
access-list inside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 222
!
access-list SFTP extended permit tcp host 1.1.1.1 host 2.2.2.2
!
crypto map outside_map 50 match address SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer VPN_GW
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
The phase 1 and phase 2 seem to negotiate fine.
But i get no encryption/decryption on a sh crypto ipsec sa.
Also i see the syn on the inside interface being denied from source 1.1.1.1.
So what appears to be happening is the initial packets are allowed through to setup the tunnel but then the additional packets appear to be denied.
Any help appreciated.
Thanks
Kev
09-11-2012 02:32 AM
Your crypto ACL uses "TCP" instead of "IP", do you also have "TCP" on the remote end crypto ACL?
If you are seeing denied on the SYN packet, that means there could be an access-list that might be blocking the access.
Can you check if there is any "deny" access-list on top of your "inside_access_in" line above that might be blocking the traffic?
09-11-2012 02:34 AM
Hi Jennifer,
Thanks for the reply.
I have put the permit line at the top (line 1).
I will ask the other end if they are using ip or tcp.
Thanks
Kev
09-11-2012 07:46 AM
Hi Jenifer,
They havent come back to me.
But ive changed the it from TCP to IP in the ACL and theres still no joy.
Turns out its natted as well.
So im no natting it but the tunnel comes up whether i NAT or not.
Just cant get packets actually down the tunnel.
Might it need a route even though there is a default one configured?
I wouldnt have though so.
Is there a debug that will show why the packets are being dropped once the tunnel is up?
Cheers
Kev
09-11-2012 11:43 PM
Apart from SFTP, have you tried other protocols (ping perhaps) and see if it's working?
Just want to see if it's only SFTP that fails, or everything else fails as well.
Can you share the output of :
show cry isa sa
show cry ipsec sa
You don't need route if there is no overlapping route or route with larger mask. If you have route with larger mask configured then you need to configure the more specific route.
Can you share the full config pls..
09-12-2012 01:17 AM
Morning Jennifer,
Thanks for your continued assistance with this.
Going through the config i see vpn-filter 10 applied under:
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
This is tied to ACL 10 which doesnt appear to have the public ip for this in.
This looks like a likey candidate to me.
Config below:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.31 12:56:34 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 7.0(8)
!
hostname FW
domain-name default.domain.invalid
enable password Wh3rCbG41fzpd0M. encrypted
passwd YYrn5ri6t.SCggWC encrypted
names
name 195.11.205.145 EXT_IP1
name 80.169.148.99 EXT_IP3
name 80.169.148.98 EXT_IP2
name 155.136.89.20 Coutts_Gateway_VPN
name 80.169.148.112 S21_Test_VPN
name 155.136.150.115 Coutts_Host_VPN
name 80.169.148.114 EXT_IP5
name 80.168.148.96 S21_Range
name 80.169.148.100 EXT_IP6
name 59.154.30.158 EXT_IP7
name 195.166.102.62 EXT_IP4
name 193.8.50.231 Coutts_Gateway_VPN_Switz
dns-guard
!
interface Ethernet0/0
description Outside interface 0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 80.169.124.4 255.255.255.224
!
interface Ethernet0/1
description Inside interface 0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.0.0
!
interface Ethernet0/2
description DMZ interface 0/2
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service TCP_Port_Group tcp
port-object eq smtp
port-object range ftp-data ftp
port-object eq 123
port-object eq www
port-object eq https
port-object eq domain
port-object eq ftp-data
port-object eq ftp
port-object eq 3389
port-object eq ssh
object-group service UDP_Port_Group udp
port-object eq ntp
port-object eq 21
port-object eq 20
port-object eq domain
object-group network Trusted_Ext_Hosts
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
network-object EXT_IP7 255.255.255.255
object-group service www_services tcp
port-object eq www
port-object eq https
object-group service TCP_CSG tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq 1080
port-object eq citrix-ica
object-group network Trusted_Ext_Hosts_ref
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
object-group network S21_Range
network-object S21_Range 255.255.255.224
access-list inside_access_in extended permit tcp 192.168.100.0 255.255.255.0 any object-group TCP_Port_Group
access-list inside_access_in extended permit udp 192.168.100.0 255.255.255.0 any object-group UDP_Port_Group
access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit tcp host 10.10.10.5 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.5 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.5 any object-group UDP_Port_Group
access-list dmz_access_in extended permit tcp host 10.10.10.7 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.7 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.7 any object-group UDP_Port_Group
access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host 80.169.124.36 eq www
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.35 object-group www_services
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.37 object-group www_services
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host 193.8.50.180
access-list inside_access_out extended permit tcp object-group Trusted_Ext_Hosts_ref 192.168.0.0 255.255.0.0 eq 3389
access-list inside_access_out extended permit tcp any host 192.168.100.24 eq www
access-list inside_access_out extended permit tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list inside_access_out extended deny ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.35 155.136.30.0 255.255.254.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.37 155.136.30.0 255.255.254.0
access-list 10 extended permit tcp any host 80.169.124.35 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.5 object-group www_services
access-list 10 extended permit tcp any host 80.169.124.37 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.7 object-group www_services
access-list COUTTS_SWITZ_SFTP extended permit tcp 192.168.100.0 255.255.255.0 host 193.8.50.180 eq ssh
access-list outside_cryptomap_40 extended permit ip host 80.169.124.35 155.136.0.0 255.255.0.0
access-list outside_cryptomap_40 extended permit ip host 80.169.124.37 155.136.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover Ethernet0/3
failover polltime interface 10
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.16.31.249 255.255.255.248 standby 172.16.31.250
no monitor-interface management
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside) 20 80.169.124.32
global (dmz) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 192.168.0.0 255.255.0.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 20 10.10.10.0 255.255.255.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 80.169.124.33 192.168.100.11 netmask 255.255.255.255
static (inside,outside) 80.169.124.34 192.168.100.21 netmask 255.255.255.255
static (dmz,outside) 80.169.124.35 10.10.10.5 netmask 255.255.255.255
static (inside,outside) 80.169.124.36 192.168.100.24 netmask 255.255.255.255
static (dmz,outside) 80.169.124.37 10.10.10.7 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 80.169.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions none
port-forward-name value Application Access
username Admin password 5VZ2yiLE0W2kEsod encrypted privilege 15
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 155.136.17.70
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 30 set nat-t-disable
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer Coutts_Gateway_VPN
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 50 match address COUTTS_SWITZ_SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer Coutts_Gateway_VPN_Switz
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
tunnel-group 155.136.17.70 type ipsec-l2l
tunnel-group 155.136.17.70 ipsec-attributes
pre-shared-key *
tunnel-group 155.136.89.20 type ipsec-l2l
tunnel-group 155.136.89.20 ipsec-attributes
pre-shared-key *
tunnel-group 193.8.50.231 type ipsec-l2l
tunnel-group 193.8.50.231 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 10
dhcpd lease 3600
dhcpd ping_timeout 50
ntp server 193.228.143.13 source outside
Cryptochecksum:87a0c89dced7eb36d9a9b2854eea3b95
: end
FW#
Cheers
09-12-2012 01:30 AM
Hi Jen,
I just added it to the filter and tested.
Im getting encryption now but no decryption so over to them.
Thanks for your help.
Cheers
Kev
09-12-2012 01:32 AM
Good catch!!!
09-12-2012 01:30 AM
Crypto ACL should really be without protocol and port, so yours should say:
access-list COUTTS_SWITZ_SFTP extended permit ip 192.168.100.0 255.255.255.0 host 193.8.50.180
Then clear the tunnel: "clear cry ipsec sa" and "clear cry isa sa"
And also, do you mean SSH or SFTP?
SSH default port is TCP/22, and SFTP default port is 115
Then you would need to modify your ACL "inside_access_in" accordingly. I am also assuming that your connection is initiated from this ASA that you post the config?
Lastly, VPN filter acl 10 is not the culprit as that applies to IPSec VPN Client, not site-to-site IPSec VPN --> Ahh, forgot that your software is 7.0, as in the newer version there is separate default policy for IPSec VPN Client and Site-to-Site IPSec VPN
Message was edited by: Jennifer Halim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide