cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1141
Views
0
Helpful
5
Replies

VPN pass through query

bgl-group
Level 1
Level 1

Hi, I need to create send sensitive data over a VPN from a firewall (ASA5510) inside our corperate network that does not have an interface on the internet (i.e. no public facing interface) to an external customer. So I'm creating a tunnel to the customer from our Edge firewall (Also a ASA5510) and another VPN between the LAN interface on the internal firewall and the LAN interface on the Edge firewall. Is this sensible or is there another way to do this? VPN pass through has been mention but I dont know if the ASA supports it? I have attached a diagram of what Im trying to achieve if that helps.

Any ideas? Many thanks 

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, ASA supports VPN pass through.

You would need to configure the following on the pass through ASA:

1) static NAT if the ASA that terminates the VPN has private IP.

2) enable "inspect ipsec-pass-thru" on the global policy.

3) if you have firewall rules on the pass through ASA, you would need to allow UDP/500, ESP, and possibly UDP/4500 if NAT-T is configured for the VPN.

Hope this helps.

Thanks for the response Jennifer. I've implimented those changes and can see the internal firewall building the VPN and it being passed through the external firewall. However the tunnel doesn't come up.

When I look in the log, I see the NAT working on the pass-thru firewall, but it changes the port number from UDP/500 to a random number - this time it was UDP/405.

Is this the reason the tunnel doesnt establish? because when I initiate a VPN from the external firewall (to other customers) the port number stays at UDP/500

Log from pass-thru firewall showing the NAT working and the port changing....

6Jun 22 201114:50:00192.168.254.53500x.188.191.146500Built outbound UDP connection 49550047 for External:x.188.191.146/500 (195.188.191.146/500) to inside:192.168.254.53/500 (x.130.13.228/405)

Log from internal firewall showing the VPN being triggered and waiting to establish....

6Jun 22 201114:50:03IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6Jun 22 201114:50:00192.168.254.53500x.188.191.146500Built outbound UDP connection 19003293 for Internal:x.188.191.146/500 (x.188.191.146/500) to identity:192.168.254.53/500 (192.168.254.53/500)
5Jun 22 201114:50:00IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146 local Proxy Address 10.16.177.5, remote Proxy Address 167.16.19.43, Crypto map (Internal_map)


Many thanks.

That's OK because that is the source port that changes, the destination port is still UDP/500.

Can you please share which stage of the VPN negotiation it is at?

Output of:

show cry isa sa

show cry ipsec sa

And also debug output from the VPN device:

debug cry isa

debug cry ipsec

This is Phase 1 of the negotiation.

There is nothing to show in the show crypto isa sa or show crypto ipsec sa because the tunnel doesnt establish.

The output from the degug while I'm trying to bring the tunnel up is below:

bre-fwp-fw01(config)# logging monitor debug

Jun 23 2011 15:11:07: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:07: %ASA-5-713041: IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146  local Proxy Address 10.16.177.5, remote Proxy Address x.16.19.43 ,  Crypto map (Internal_map)

Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing ISAKMP SA payload

Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing Fragmentation VID + extended capabilities payload

Jun 23 2011 15:11:07: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:08: %ASA-4-106023: Deny udp src Internal:172.29.0.34/1079 dst DMZ:172.23.251.17/161 by access-group "CSM_FW_ACL_Internal" [0x0, 0x0]

Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

Jun 23 2011 15:11:10: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:10: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 23 2011 15:11:15: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

Jun 23 2011 15:11:16: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:16: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 23 2011 15:11:23: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:25: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:27: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02

Jun 23 2011 15:11:31: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:35: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:35: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:36: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:36: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:37: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:37: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:39: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:39: %ASA-7-715065: IP = x.188.191.146, IKE MM Initiator FSM error history (struct &0xadcea4f0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, IKE SA MM:0f836a4a terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, sending delete/delete with reason message

Jun 23 2011 15:11:41: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02

Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

bre-fwp-fw01(config)#

bre-fwp-fw01(config)# logging monitor debug

Jun 23 2011 15:11:07: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:07: %ASA-5-713041: IP = x.188.191.146, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer x.188.191.146  local Proxy Address 10.16.177.5, remote Proxy Address x.16.19.43 ,  Crypto map (Internal_map)

Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing ISAKMP SA payload

Jun 23 2011 15:11:07: %ASA-7-715046: IP = x.188.191.146, constructing Fragmentation VID + extended capabilities payload

Jun 23 2011 15:11:07: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:08: %ASA-4-106023: Deny udp src Internal:172.29.0.34/1079 dst DMZ:172.23.251.17/161 by access-group "CSM_FW_ACL_Internal" [0x0, 0x0]

Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:10: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:10: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

Jun 23 2011 15:11:10: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:10: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 23 2011 15:11:15: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:16: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:16: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

Jun 23 2011 15:11:16: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

Jun 23 2011 15:11:16: %ASA-6-713219: IP = x.188.191.146, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 23 2011 15:11:23: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:25: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:27: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02

Jun 23 2011 15:11:31: %ASA-7-713236: IP = x.188.191.146, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 492

Jun 23 2011 15:11:35: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:35: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:36: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:36: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:37: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:37: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:39: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:39: %ASA-7-715065: IP = x.188.191.146, IKE MM Initiator FSM error history (struct &0xadcea4f0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, IKE SA MM:0f836a4a terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jun 23 2011 15:11:39: %ASA-7-713906: IP = x.188.191.146, sending delete/delete with reason message

Jun 23 2011 15:11:41: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:02

Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host DMZ:172.23.251.12

Jun 23 2011 15:11:49: %ASA-7-609001: Built local-host Internal:x.16.19.43

Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host DMZ:172.23.251.12 duration 0:00:00

Jun 23 2011 15:11:49: %ASA-7-609002: Teardown local-host Internal:x.16.19.43 duration 0:00:00

bre-fwp-fw01(config)#

OK, base on the debug output from the VPN as well as the pass through VPN, the VPN is initiated, and the first UDP/500 is being sent and pass through correctly on the pass through firewall as you can see the packet and NAT translation is being created for that packet.

The question is, does that packet reach the VPN peer? You would need to troubleshoot at both end.

Currently this end looks OK to me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: