Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
Im having issues with traffic between two sites connected 5505 to 5505 lan to lan ipsec tunnel. 99% functionality of traffic over the tunnel seems good with one exception. When a pc on Site A tries to access a web based(java embedded) mangagment tool for a IP_PBX at site B, some of the traffic is not making it resulting in a strange error. The client pc can ping and hit port 80 to prompt the web GUI, gets prompted for java download, and loads the web embedded java app. The java app itself (a CLI terminal to replicate if you were just telneting in) gives an error like it can connect properly to the IP_PBX. We have other sites where the ipsec tunnel is between two 2800s and there are NO issues. The IP_PBX provider is suggesting we open up port 2000. Im personally not familiar with the ASAs enough to uderstand why it would be blocking only certain ports on an ipsec tunnel. Im especially confused since there is no NATing involved with the traffic crossing this 5505 to 5505 ipsec tunnel. Any suggestions would be greatly appreciated,bh I can post configs if needed, but thought someone might already be familiar with this issue.thanks again.
Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
Hi, Just want to add the following...When you use an ASA to build an IPsec tunnel, the ASA will permit all IP traffic to flow through the tunnel (this means the ASA won block any TCP/UDP ports).The ASA does this because of the default behavior of the command \sysopt connection permit-vpn\ The above command allows all IPsec traffic to pass through without being checked against the outside ACL.If you remove the command \no sysopt connection permit-vpn\ then all traffic should be allowed by the ACL. This being said, you can configure VPN filters to restrict some of the traffic through the tunnel.This filters are ACLs that are applied to the group-policy for the VPN traffic. In case you have VPN filters configured, I will check if one of them might be blocking port 2000, otherwise you can check if port 2000 is making it to its destination.i.eAn outbound ACL applied to the inside interface. access-list test2000 permit tcp/udp any host x.x.x.x eq 2000access-list test2000 permit ip any anyaccess-group test2000 out interface inside The above will permit (tcp/udp) port 2000 from any source to the x.x.x.x (internal IP), then will permit everything else and its applied outbound on the inside interface.If \sh access-list test2000\ show hitcounts when you send traffic, then we at least know that the ASA is not blocking the traffic. We can take it from here. Federico.
Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
Federico, Our "sysopt connection permit-vpn" is in place. I don see that we have any vpn filters in place that would block specific ipsec traffic. After you info in relation to ASAs allowing all ipsec traffic, Im wondering what could be causing this. I have lowered the inside/outside mtus to alleviate possible fragmentation across the ipsec tunnel(not as a result of issues, but just in case). Maybe this app doesn like some fragmentation occuring from that lowered mtu? My original post doesn make mention that these site to site ASAs are set up amongst 3 sites. A to B and A to C (as you will notice from config below). As config: ASA Version 7.2(4) ! hostname LBL5505 domain-name default.domain.invalid enable password <removed> passwd <removed> names name 192.168.30.0 LanBV2800 name 192.168.40.0 LanLBL name 192.168.20.0 LanFG2800 ! interface Vlan1 description /24 via NtgearSW nameif inside security-level 100 ip address 192.168.40.1 255.255.255.0 ! interface Vlan2 description external nameif outside security-level 0 ip address x.x.x.x 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! banner login Private Network, access allowed for authorized personnel only! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0 access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0 access-list inside_nat0_outbound extended permit ip any LanLBL 255.255.255.0 access-list outside_1_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0 access-list outside_2_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0 access-list 100 extended permit ip host 192.168.30.2 host 192.168.40.2 access-list 100 extended permit ip host 192.168.20.2 host 192.168.40.2 access-list 105 extended permit ip host 192.168.40.2 host 192.168.30.2 access-list 105 extended permit ip host 192.168.40.2 host 192.168.20.2 pager lines 24 logging enable logging asdm informational mtu inside 1450 mtu outside 1450 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 LanLBL 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 x.x.x.x timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set REMOTE_trans esp-3des esp-sha-hmac crypto ipsec transform-set REMOTE_trans mode transport crypto dynamic-map dyno 10 set transform-set REMOTE_trans crypto map outside_map 1 match address outside_1_cryptomap_1 crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer x.x.x.x crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap_1 crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer x.x.x.x crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 3 ipsec-isakmp dynamic dyno crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 30 telnet timeout 5 ssh timeout 5 ssh version 2 console timeout 0 dhcpd auto_config outside ! priority-queue outside group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate group-policy REMOTE_policy internal group-policy REMOTE_policy attributes dns-server value x.x.x.x x.x.x.x vpn-tunnel-protocol l2tp-ipsec username ptci password <removed> username root password <removed> tunnel-group DefaultRAGroup general-attributes address-pool REMOTE_pool default-group-policy REMOTE_policy tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes pre-shared-key * tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic class-map VOICE-OUT match access-list 105 class-map VOICE-IN match access-list 100 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp policy-map VOICE class VOICE-IN priority class VOICE-OUT priority ! service-policy global_policy global service-policy VOICE interface outside prompt hostname context Cryptochecksum:36e492eae537af6b97679b00256b8a75 : end
Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
Ok.What about testing with the ACL I mentioned: access-list test2000 permit tcp/udp any host x.x.x.x eq 2000access-list test2000 permit ip any anyaccess-group test2000 out interface inside The idea is to check if the ASA is forwarding the traffic to x.x.x.x on port 2000 outbound towards the inside network.If you see hitcounts on the first statement, the ASA is indeed forwarding the packets and the problem might be with the server itelf or with the return traffic. Federico.
Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?
I will certainly try that acl, probably next week. Just as an fyi, when you access the same webgui from a pc that is in the same subnet(aka physically on the same layer 2 switch), it works just fine. For that matter, it even works fine across a 2800 to 2800 ipsec tunnel. It is only when the traffic traverses a tunnel between two 5505s. Im also seeing that it won work when Im vpnd(pc to asa) into this ASA, despite being able to ping and load the webpage of the ip_pbx. bh