Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
6
Replies

VPN between PIX and ASA

Go to solution
mickyq
Level 1
Level 1

‎02-10-2015 09:12 AM

I have a vpn beteen two sites which is working fine. traffic is initiated from site A and can successfully connect to site B ok.

I have just tried to configure traffic from site B to site A but its failing at the vpn encrypt point. I have checked the acl's and they match:

site A (PIX)

crypto acl

access-list site_a permit tcp host 10.51.3.32 10.0.0.0 255.0.0.0 eq 3389

no nat

access-list no_nat permit ip host 10.51.3.32 10.0.0.0 255.0.0.0

 

site B (ASA)

crypto acl

access-list site_b extended permit tcp 10.0.0.0 255.0.0.0 host 10.51.3.32 eq 3389

no nat

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32

 

the only difference i can see is the extended acl but it works ok in one direction?

 

thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abaji Rawool
Level 3
Level 3

‎02-11-2015 08:02 AM

Hi,

Using port based ACLs for crypto map is not recommended, use IP access-lists and configure VPN filters to implement port restrictions.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116639-technote-asa-00.html

Regards,

Abaji

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Abaji Rawool
Level 3
Level 3

‎02-11-2015 08:02 AM

Hi,

Using port based ACLs for crypto map is not recommended, use IP access-lists and configure VPN filters to implement port restrictions.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116639-technote-asa-00.html

Regards,

Abaji

0 Helpful

Go to solution
mickyq
Level 1
Level 1
In response to Abaji Rawool

‎02-11-2015 09:18 AM

Hi Abaji

Thanks for your responce.

ive changed the acl but it is still failing at the same point. config and capture below:

site A

access-list site_a permit ip host 10.51.3.32 10.0.0.0 255.0.0.0
access-list no_nat permit ip host 10.51.3.32 10.0.0.0 255.0.0.0


site B

access-list site_b extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32

SITEB/pri/act# packet-tracer input inside tcp 10.0.0.0 555 10.51.3.32 3389

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.0.0.0 255.255.0.0 outside 10.51.0.0 255.255.0.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
  match ip inside 10.0.0.0 255.0.0.0 dmz1 any
    static translation to 10.0.0.0
    translate_hits = 163183, untranslate_hits = 3799793
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.0.0.0 255.0.0.0
  match ip inside 10.0.0.0 255.0.0.0 outside any
    dynamic translation to pool 1 (193.x.x.x)
    translate_hits = 80872410, untranslate_hits = 9060235
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Abaji Rawool
Level 3
Level 3
In response to mickyq

‎03-21-2015 07:29 AM

Could you check if the tunnel is up?

show cry isa sa

show cry ips sa peer <peer ip>

if the tunnel is not up use following debugs

debug cry cond peer <peer ip>

debug cry isa 127

debug cry ips 127

after debugs are collected type "undebug all"

 

 

 

 

0 Helpful

Go to solution
mickyq
Level 1
Level 1
In response to Abaji Rawool

‎03-23-2015 12:47 PM

Hi Abaji

changing the acl to full ip did work. I left it and it was working when i went to look at it again.

 

thanks

 

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to mickyq

‎03-21-2015 09:12 AM

Packet tracer will keep showing a drop until the tunnel comes up. If the tunnel does not come up, check vpn related logs and debugs. 

Spooster IT Services Team
0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mickyq

‎03-21-2015 07:23 PM

Hi there,

 

- - - - - - - - - - - - - - - - - -

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.0.0.0 255.255.0.0 outside 10.51.0.0 255.255.0.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:

- - - - - - - - - - - - - - - - - -

I suspect that you might have another tunnel routes over lap with Site A.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents