06-06-2011 09:10 AM
Hi, I need to create send sensitive data over a VPN from a firewall (ASA5510) inside our corperate network that does not have an interface on the internet (i.e. no public facing interface) to an external customer. So I'm creating a tunnel to the customer from our Edge firewall (Also a ASA5510) and another VPN between the LAN interface on the internal firewall and the LAN interface on the Edge firewall. Is this sensible or is there another way to do this? VPN pass through has been mention but I dont know if the ASA supports it? I have attached a diagram of what Im trying to achieve if that helps.
Any ideas? Many thanks
06-06-2011 07:32 PM
Yes, ASA supports VPN pass through.
You would need to configure the following on the pass through ASA:
1) static NAT if the ASA that terminates the VPN has private IP.
2) enable "inspect ipsec-pass-thru" on the global policy.
3) if you have firewall rules on the pass through ASA, you would need to allow UDP/500, ESP, and possibly UDP/4500 if NAT-T is configured for the VPN.
Hope this helps.
06-22-2011 07:26 AM
Thanks for the response Jennifer. I've implimented those changes and can see the internal firewall building the VPN and it being passed through the external firewall. However the tunnel doesn't come up.
When I look in the log, I see the NAT working on the pass-thru firewall, but it changes the port number from UDP/500 to a random number - this time it was UDP/405.
Is this the reason the tunnel doesnt establish? because when I initiate a VPN from the external firewall (to other customers) the port number stays at UDP/500
Log from pass-thru firewall showing the NAT working and the port changing....
6 | Jun 22 2011 | 14:50:00 | 192.168.254.53 | 500 | x.188.191.146 | 500 | Built outbound UDP connection 49550047 for External:x.188.191.146/500 (195.188.191.146/500) to inside:192.168.254.53/500 (x.130.13.228/405) |
Log from internal firewall showing the VPN being triggered and waiting to establish....
6 | Jun 22 2011 | 14:50:03 | IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. |
6 | Jun 22 2011 | 14:50:00 | 192.168.254.53 | 500 | x.188.191.146 | 500 | Built outbound UDP connection 19003293 for Internal:x.188.191.146/500 (x.188.191.146/500) to identity:192.168.254.53/500 (192.168.254.53/500) |
5 | Jun 22 2011 | 14:50:00 | IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146 local Proxy Address 10.16.177.5, remote Proxy Address 167.16.19.43, Crypto map (Internal_map) |
Many thanks.
06-23-2011 06:02 AM
That's OK because that is the source port that changes, the destination port is still UDP/500.
Can you please share which stage of the VPN negotiation it is at?
Output of:
show cry isa sa
show cry ipsec sa
And also debug output from the VPN device:
debug cry isa
debug cry ipsec
06-23-2011 07:58 AM
This is Phase 1 of the negotiation.
There is nothing to show in the show crypto isa sa or show crypto ipsec sa because the tunnel doesnt establish.
The output from the degug while I'm trying to bring the tunnel up is below:
bre-fwp-fw01(config)# logging monitor debug
Jun 23 2011 15:11:07: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:07: %ASA-5-713041: IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146 local Proxy Address 10.16.177.5, remote Proxy Address x.16.19.43 , Crypto map (Internal_map)
Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing ISAKMP SA payload
Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing Fragmentation VID + extended capabilities payload
Jun 23 2011 15:11:07: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:08: %ASA-4-106023: Deny udp src Internal:172.29.0.34/1079 dst DMZ:172.23.251.17/161 by access-group "CSM_FW_ACL_Internal" [0x0, 0x0]
Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
Jun 23 2011 15:11:10: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:10: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 23 2011 15:11:15: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
Jun 23 2011 15:11:16: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:16: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 23 2011 15:11:23: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:25: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:27: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02
Jun 23 2011 15:11:31: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:35: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:35: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:36: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:36: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:37: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:37: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:39: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:39: %ASA-7-715065: IP = x.188.191.146, IKE MM Initiator FSM error history (struct &0xadcea4f0)
Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, IKE SA MM:0f836a4a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, sending delete/delete with reason message
Jun 23 2011 15:11:41: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02
Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
bre-fwp-fw01(config)#
bre-fwp-fw01(config)# logging monitor debug
Jun 23 2011 15:11:07: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:07: %ASA-5-713041: IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146 local Proxy Address 10.16.177.5, remote Proxy Address x.16.19.43 , Crypto map (Internal_map)
Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing ISAKMP SA payload
Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing Fragmentation VID + extended capabilities payload
Jun 23 2011 15:11:07: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:08: %ASA-4-106023: Deny udp src Internal:172.29.0.34/1079 dst DMZ:172.23.251.17/161 by access-group "CSM_FW_ACL_Internal" [0x0, 0x0]
Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
Jun 23 2011 15:11:10: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:10: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 23 2011 15:11:15: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
Jun 23 2011 15:11:16: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Jun 23 2011 15:11:16: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 23 2011 15:11:23: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:25: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:27: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02
Jun 23 2011 15:11:31: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492
Jun 23 2011 15:11:35: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:35: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:36: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:36: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:37: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:37: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:39: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:39: %ASA-7-715065: IP = x.188.191.146, IKE MM Initiator FSM error history (struct &0xadcea4f0)
Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, IKE SA MM:0f836a4a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, sending delete/delete with reason message
Jun 23 2011 15:11:41: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02
Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host DMZ:172.23.251.12
Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host Internal:x.16.19.43
Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00
Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00
bre-fwp-fw01(config)#
06-24-2011 06:08 AM
OK, base on the debug output from the VPN as well as the pass through VPN, the VPN is initiated, and the first UDP/500 is being sent and pass through correctly on the pass through firewall as you can see the packet and NAT translation is being created for that packet.
The question is, does that packet reach the VPN peer? You would need to troubleshoot at both end.
Currently this end looks OK to me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: