Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

Post by Guest » Sat Dec 25, 2010 4:20 am

Im having issues with traffic between two sites connected 5505 to 5505 lan to lan ipsec tunnel.  99% functionality of traffic over the tunnel seems good with one exception.  When a pc on Site A tries to access a web based(java embedded) mangagment tool for a IP_PBX at site B, some of the traffic is not making it resulting in a strange error.  The client pc can ping and hit port 80 to prompt the web GUI, gets prompted for java download, and loads the web embedded java app.  The java app itself (a CLI terminal to replicate if you were just telneting in) gives an error like it can connect properly to the IP_PBX.  We have other sites where the ipsec tunnel is between two 2800s and there are NO issues.  The IP_PBX provider is suggesting we open up port 2000.  Im personally not familiar with the ASAs enough to uderstand why it would be blocking only certain ports on an ipsec tunnel.  Im especially confused since there is no NATing involved with the traffic crossing this 5505 to 5505 ipsec tunnel. Any suggestions would be greatly appreciated,bh I can post configs if needed, but thought someone might already be familiar with this issue.thanks again.

Guest

Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

Post by Guest » Sat Dec 25, 2010 5:35 am

Hi, Just want to add the following...When you use an ASA to build an IPsec tunnel, the ASA will permit all IP traffic to flow through the tunnel (this means the ASA won block any TCP/UDP ports).The ASA does this because of the default behavior of the command \sysopt connection permit-vpn\ The above command allows all IPsec traffic to pass through without being checked against the outside ACL.If you remove the command \no sysopt connection permit-vpn\ then all traffic should be allowed by the ACL. This being said, you can configure VPN filters to restrict some of the traffic through the tunnel.This filters are ACLs that are applied to the group-policy for the VPN traffic. In case you have VPN filters configured, I will check if one of them might be blocking port 2000, otherwise you can check if port 2000 is making it to its destination.i.eAn outbound ACL applied to the inside interface. access-list test2000 permit tcp/udp any host x.x.x.x eq 2000access-list test2000 permit ip any anyaccess-group test2000 out interface inside The above will permit (tcp/udp) port 2000 from any source to the x.x.x.x (internal IP), then will permit everything else and its applied outbound on the inside interface.If \sh access-list test2000\ show hitcounts when you send traffic, then we at least know that the ASA is not blocking the traffic. We can take it from here. Federico.

Guest

Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

Post by Guest » Sat Dec 25, 2010 6:08 am

Federico, Our "sysopt connection permit-vpn" is in place.  I don see that we have any vpn filters in place that would block specific ipsec traffic.  After you info in relation to ASAs allowing all ipsec traffic, Im wondering what could be causing this.  I have lowered the inside/outside mtus to alleviate possible fragmentation across the ipsec tunnel(not as a result of issues, but just in case).  Maybe this app doesn like some fragmentation occuring from that lowered mtu?   My original post doesn make mention that these site to site ASAs are set up amongst 3 sites.  A to B and A to C (as you will notice from config below).  As config:  ASA Version 7.2(4)  ! hostname LBL5505 domain-name default.domain.invalid enable password <removed> passwd <removed> names name 192.168.30.0 LanBV2800 name 192.168.40.0 LanLBL name 192.168.20.0 LanFG2800 ! interface Vlan1 description /24 via NtgearSW                nameif inside security-level 100 ip address 192.168.40.1 255.255.255.0  ! interface Vlan2 description external nameif outside security-level 0 ip address x.x.x.x 255.255.255.0  ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6                ! interface Ethernet0/7 ! banner login Private Network, access allowed for authorized personnel only! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0  access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0  access-list inside_nat0_outbound extended permit ip any LanLBL 255.255.255.0  access-list outside_1_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0  access-list outside_2_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0  access-list 100 extended permit ip host 192.168.30.2 host 192.168.40.2  access-list 100 extended permit ip host 192.168.20.2 host 192.168.40.2  access-list 105 extended permit ip host 192.168.40.2 host 192.168.30.2  access-list 105 extended permit ip host 192.168.40.2 host 192.168.20.2  pager lines 24 logging enable logging asdm informational mtu inside 1450 mtu outside 1450 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin                no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 LanLBL 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 x.x.x.x timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication telnet console LOCAL  aaa authentication ssh console LOCAL  http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  crypto ipsec transform-set REMOTE_trans esp-3des esp-sha-hmac  crypto ipsec transform-set REMOTE_trans mode transport crypto dynamic-map dyno 10 set transform-set REMOTE_trans                crypto map outside_map 1 match address outside_1_cryptomap_1 crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer x.x.x.x  crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap_1 crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer x.x.x.x  crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 3 ipsec-isakmp dynamic dyno crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  30 telnet timeout 5 ssh timeout 5 ssh version 2                console timeout 0 dhcpd auto_config outside ! priority-queue outside group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall                split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn                  functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward none   port-forward-name value Application Access   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy REMOTE_policy internal group-policy REMOTE_policy attributes dns-server value x.x.x.x x.x.x.x vpn-tunnel-protocol l2tp-ipsec                 username ptci password <removed> username root password <removed> tunnel-group DefaultRAGroup general-attributes address-pool REMOTE_pool default-group-policy REMOTE_policy tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes pre-shared-key * tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic class-map VOICE-OUT match access-list 105 class-map VOICE-IN match access-list 100 ! !                policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map    inspect ftp    inspect h323 h225    inspect h323 ras    inspect rsh    inspect rtsp    inspect esmtp    inspect sqlnet    inspect skinny    inspect sunrpc    inspect xdmcp    inspect sip    inspect netbios    inspect tftp  policy-map VOICE class VOICE-IN   priority class VOICE-OUT   priority                ! service-policy global_policy global service-policy VOICE interface outside prompt hostname context  Cryptochecksum:36e492eae537af6b97679b00256b8a75 : end

Guest

Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

Post by Guest » Sat Dec 25, 2010 6:09 am

Ok.What about testing with the ACL I mentioned: access-list test2000 permit tcp/udp any host x.x.x.x eq 2000access-list test2000 permit ip any anyaccess-group test2000 out interface inside The idea is to check if the ASA is forwarding the traffic to x.x.x.x on port 2000 outbound towards the inside network.If you see hitcounts on the first statement, the ASA is indeed forwarding the packets and the problem might be with the server itelf or with the return traffic. Federico.

Guest

Re:Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

Post by Guest » Sat Dec 25, 2010 7:05 am

I will certainly try that acl, probably next week.  Just as an fyi, when you access the same webgui from a pc that is in the same subnet(aka physically on the same layer 2 switch), it works just fine.  For that matter, it even works fine across a 2800 to 2800 ipsec tunnel.  It is only when the traffic traverses a tunnel between two 5505s.  Im also seeing that it won work when Im vpnd(pc to asa) into this ASA, despite being able to ping and load the webpage of the ip_pbx.  bh

Post Reply