dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
768
share rss forum feed

batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

[HELP] Will this traffic be NATted?

I'm having a heck of a time trying to get traffic to flow into my IPSEC tunnel. I've got a NAT question -- I need to understand if this traffic is being NATted or not.

With an IPSEC tunnel being terminated on the outside interface, and the following packet is sent into the tunnel, will it be NATted or no-NATted?

SRC: 192.168.27.11

DST: 192.168.4.160

(assume 192.168.4.160 routes out the Def GW, which is on Outside Interface) Also assume everything else is set up correctly -- my question is just with NAT. Unfortunatly I don't have time to sanitize a config right now. I've checked this with my peers, and everything is configured properly; the only thing I can think of, is that the traffic is being NATted whereas I don't want it to be.

static (EXT-FTP,outside) 123.123.123.123 192.168.27.11 netmask 255.255.255.255 (outside addr is obviously forged...)

nat (EXT-FTP) 0 access-list FTP-no-nat
nat (EXT-FTP) 1 0.0.0.0 0.0.0.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 host 192.168.4.160


aryoba
Premium,MVM
join:2002-08-22
kudos:4

You can issue show xlate command to check the NAT table. If it is, a simple clear xlate will reset the NAT table and then the traffic should behave as you expect.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to batsona

NAT happens before encryption (you might need translation through a tunnel.) The nat-zero rule exempts 27.11 -> 4.160 from NAT. You'd have to check the other end to make sure it isn't NAT'ing the reply.


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

OP here: The guy at the other end sees no packets whatsoever. If the traffic was being NATted, it wouldn't pass any of the ACLs to be permitted in the tunnel. BUT interestingly enough, when I send interesting traffic, the tunnel comes up, and Phase 2 completes just fine.

Thanks for answering the NAT question -- I've been living & breathing Juniper for so long, I forgot about the 'show xlate' command. I"ll try that in the morning.

One more piece of info.. When I send the following traffic, the tunnel pops up just fine, but syslog tells me:

"Denied inbound TCP connection from 192.168.27.11 to 192.168.4.160 Flag SYN Interface EXT-FTP"

I've looked through every ACL on the machine, and it's correctly specified where needed. It's like there's an ACL somewhere in some policy that needs to be defined, to allow the traffic....


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to batsona

May help to have the whole ASA? config for review to see what's going on batona

Regards


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

Yep... I think I've proven to myself that it's not a NAT problem, so I have to open it up to other problems. I'll post a sanitized config sometime today hopefully.. Also posting to the Cisco Forums too. The powers-that-be at work really want this tunnel working, and me & another guy are stumped....


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by batsona See Profile
I'll post a sanitized config sometime today hopefully.. Also posting to the Cisco Forums too.

I thought this was Cisco forum

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to batsona

Unless he's referring to supportforums.cisco.com

Regards


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

Yep, I was referring to the Cisco site itself. at any rate, here's the sanitized config...

I see now that NAT is not at fault, but my original issue at hand, was that I send interesting traffic, and the tunnel comes up just fine and phase-2 completes just fine. I send traffic with SRC: 192.168.27.11 and DST: 192.168.4.160 and port=TCP/21 and I always get the error:

Inbound connection denied from 192.168.27.11/4486 to 192.168.4.160/21 Flag SYN on Interface EXT-FTP

What am I doing wrong?

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.12.13 08:52:04 =~=~=~=~=~=~=~=~=~=~=~=

DASS-VPN# show run
: Saved
:
ASA Version 8.2(1)
!
hostname DASS-VPN
domain-name dass
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
names
name 192.168.6.115 Remote_FTP1
name 192.168.6.116 Remote_FTP2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.28.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.254.0
!
interface Vlan3
nameif DMZ
security-level 50
ip address 192.168.1.2 255.255.255.0
!
interface Vlan4
nameif LEO-GEO_LUT
security-level 80
ip address 192.168.29.1 255.255.255.0
!
interface Vlan5
nameif EXT-FTP
security-level 70
ip address 192.168.27.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 4
!

interface Ethernet0/5
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/6
switchport access vlan 5
speed 100
duplex full
!
interface Ethernet0/7
!
banner login This computer is for authorized users only. By accessing this system you are
banner login consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may
banner login subject you to disciplinary action and criminal prosecution.
banner motd This computer is for authorized users only. By accessing this system you are
banner motd consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may
banner motd subject you to disciplinary action and criminal prosecution.
ftp mode passive
dns server-group DefaultDNS
domain-name dass
object-group service HP-Print tcp
port-object eq 9100
object-group service KACE-AMP tcp
port-object eq 52230
object-group service RDP tcp
port-object eq 3389

access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list exclude_from_nat extended permit ip host 192.168.28.74 host 192.168.4.160
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP1
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP2

access-list toRemote extended permit ip host 192.168.28.74 host 192.168.4.160
access-list toRemote extended permit ip host 192.168.27.11 host 192.168.4.160
access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP1
access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP2

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data
access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo

access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp
access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp
access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 host 192.168.28.72 eq ftp
access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 eq ftp host 192.168.28.72

access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 host 192.168.28.72 eq ftp
access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 eq ftp host 192.168.28.72

access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)
access-list outside_access_in extended permit tcp 123.123.0.0 255.255.0.0 host 123.123.188.40 eq ftp
access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq https
access-list outside_access_in extended permit tcp 124.124.50.0 255.255.255.0 host 123.123.123.123 eq https log
access-list outside_access_in extended permit tcp 124.124.49.0 255.255.255.0 host 123.123.123.123 eq https log
access-list outside_access_in extended permit tcp 124.124.48.0 255.255.255.0 host 123.123.123.123 eq https log
access-list outside_access_in extended permit tcp host 123.123.167.110 host 123.123.123.123 eq ssh
access-list outside_access_in extended permit tcp 124.124.47.0 255.255.255.0 host 123.123.123.123 eq https log
access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq ssh
access-list outside_access_in extended permit tcp 128.154.224.0 255.255.224.0 host 123.123.123.123 eq https log
access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.188.40 object-group RDP
access-list outside_access_in extended permit tcp host 123.123.213.189 host 123.123.188.40 object-group RDP
access-list outside_access_in extended permit tcp host 123.123.232.102 host 123.123.188.40 object-group RDP
access-list outside_access_in extended permit tcp host 123.123.232.184 host 123.123.188.40 object-group RDP

access-list DMZ_access_in remark Allows traffic inbound from frame-relay
access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp
access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp
access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any

access-list inside_access_in remark Allows traffic into ASA from Inside
access-list inside_access_in extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp

access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp
access-list inside_access_in extended permit tcp any host 123.123.244.132 object-group KACE-AMP
access-list inside_access_in extended permit tcp host 192.168.28.100 host 192.168.27.11 eq ftp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any

access-list FTP-test remark For testing FTP packets
access-list FTP-test extended permit tcp host 192.168.28.72 host 192.168.4.160

access-list NEO-GEO_LUT-in remark allows traffic out of NEO-GEO net
access-list NEO-GEO_LUT-in extended permit udp any host 123.123.244.173 eq domain
access-list NEO-GEO_LUT-in extended permit udp any host 123.123.50.17 eq domain
access-list NEO-GEO_LUT-in extended permit udp any host 123.123.10.134 eq domain
access-list NEO-GEO_LUT-in extended permit tcp any host 192.168.28.143 object-group HP-Print
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.27.11 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.27.11 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.27.11 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.27.11 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp
access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp
access-list NEO-GEO_LUT-in extended deny ip any 192.168.28.0 255.255.255.0
access-list NEO-GEO_LUT-in extended permit ip any any

access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp
access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

access-list EXT-FTP-in extended permit ip any any

access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 host 192.168.4.160

access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.28.74
access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.27.11

pager lines 24
logging enable
logging timestamp
logging monitor informational
logging trap informational
logging history notifications
logging asdm informational
logging facility 16
logging device-id hostname
logging host outside 123.123.195.171
logging host outside 123.123.167.138
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu LEO-GEO_LUT 1500

mtu EXT-FTP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list exclude_from_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ-no-nat
nat (LEO-GEO_LUT) 0 access-list LUT-no-nat
nat (LEO-GEO_LUT) 1 0.0.0.0 0.0.0.0
nat (EXT-FTP) 0 access-list FTP-no-nat
nat (EXT-FTP) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.28.74 https netmask 255.255.255.255
static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group NEO-GEO_LUT-in in interface LEO-GEO_LUT
access-group EXT-FTP-in in interface EXT-FTP
route outside 0.0.0.0 0.0.0.0 123.123.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 65000
http 192.168.28.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map DassVPN 500 match address toRemote
crypto map DassVPN 500 set pfs
crypto map DassVPN 500 set peer 10.10.10.10
crypto map DassVPN 500 set transform-set ESP-3DES-MD5
crypto map DassVPN 1000 match address toTSI

crypto map DassVPN 1000 set pfs
crypto map DassVPN 1000 set peer 11.11.11.11
crypto map DassVPN 1000 set transform-set ESP-DES-MD5
crypto map DassVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 500
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 1000
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 1000
telnet timeout 60
ssh 192.168.28.0 255.255.255.0 inside
ssh xxxxxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxxxxxxxxxx 255.255.255.255 outside

ssh timeout 60
console timeout 60
dhcpd ping_timeout 750
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.28.50 source inside prefer
tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt
webvpn
group-policy RemotePolicy internal
group-policy RemotePolicy attributes
vpn-filter value Remote_vpn_filter
vpn-tunnel-protocol IPSec
group-policy TSIPolicy internal
group-policy TSIPolicy attributes
vpn-filter value tsi_policy
vpn-tunnel-protocol IPSec
username xxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 general-attributes
default-group-policy TSIPolicy

tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key *
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 general-attributes
default-group-policy RemotePolicy
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fef923d5e39c88463a4148373980aea0
: end

DASS-VPN#

DASS-VPN#

DASS-VPN#

DASS-VPN#


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 edit

Remove the access list. It looks like that's not doing what it says. If that fixes it, then something is screwy with the ACL.


markysharkey
Premium
join:2012-12-20
united kingd

said by cramer:

Remote

I think he means remove the access list...
--
Binary is as easy as 01 10 11

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

said by markysharkey:

said by cramer:

Remote

I think he means remove the access list...

Indeed.

batsona
Maryland

join:2004-04-17
Ellicott City, MD

Can you name which one I should remove? --There are only about 15 of them on the firewall... Plus I guess we're only doing this as a troubleshooting step to identify the culprit -- versus leaving an ACL wide-open as a fix....


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to batsona

Where is 192.168.4.x in terms of this? Are you able to draw a diagram so we can visualize how this is set up?

The only place I can find the 192.168.4.x address is on your group-policy config, which I'm guessing is
an SSL VPN config? -- sorry, never worked with it before so I'm google-fu'ing things right now.

The only two ACLs I see where 192.168.27.11 is the SRC of the traffic and 192.168.4.160 is the DST
is these two entries...

access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp
access-group EXT-FTP-in in interface EXT-FTP
 

access-list toRemote extended permit ip host 192.168.27.11 host 192.168.4.160
crypto map DassVPN 500 match address toRemote
 

which you may want to doublecheck. Again... kinda at a loss how to figure out where your "arms" are for this setup.

Regards

batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

I'll see if I can draw & scan a quick diagram tonite. For now, Here's something interesting.. When I look up the error-number on the following error, which I'm re-quoting, it doesn't seem to be an error where traffic is being dropped via an ACL, it's an error where something's being prevented by policy... Google indicates that it may be something not working properly with the NAT or no-NAT config, surrounding my SRC and DST...

ASA-2-106001 Inbound TCP connection denied from 192.168.27.11/1178 to 192.168.4.160/21 flags SYN on interface EXT-FTP


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS
reply to HELLFIRE

Click for full size
IPSEC tunnel
Can someone say whether these two statements are to blame? Which one wins out?

nat (EXT-FTP) 0 access-list FTP-no-nat
static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 edit

On a pix (6.3.5) nat0 wins (zero comes before one, after all)...

object-group network inside-all 
  network-object net-internal 255.255.255.0 
  network-object 192.168.48.0 255.255.248.0 
  network-object net-dmz 255.255.255.0 
object-group network troz 
  network-object troz-net 255.255.255.240 
access-list inside-nat0-acl permit ip object-group xactional-all object-group troz 
!
nat (inside) 0 access-list inside-nat0-acl
!
static (inside,earthlink) elink-debian1 debian1 netmask 255.255.255.255 0 0 
 

[root:pts/11{6}]debian1:~/[04:23 PM]:traceroute spork
traceroute to spork (199.72.252.8), 30 hops max, 60 byte packets
1 rtr1-vlan55.xactional.com (192.168.55.1) 0.133 ms 0.119 ms 0.111 ms
2 * * * [lots of IPSec Magic™ pix to ios tunnel]
3 spork.troz.com (199.72.252.8) 38.245 ms 44.367 ms 51.142 ms


If address translation had happened, the machines wouldn't be able to talk to each other as both endpoints are internal, NAT'd addresses. (don't let the public IP fool you, I never renumbered.)

[EDIT]
same-security-traffic permit intra-interface looks like a workaround for a bug in 8.3 that'll cause the error you're seeing. 'tho your traffic isn't "same-security".


Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to batsona

ASA-2-106001 Inbound TCP connection denied from 192.168.27.11/1178 to 192.168.4.160/21 flags SYN on interface EXT-FTP

as a quick t-shoot tip, that syslog code "2-10600" means traffic is being blocked by an ACL.


batsona
Maryland

join:2004-04-17
Ellicott City, MD

OK, now the $64K dollar question! --which ACL is blocking it, according to my posted config?? @cramer - I'll try your command & see if it works....


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS
reply to Bigzizzzle

I just tried the following two commands, w/o beneficial impact. Still get the error.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I bounced the IPSEC tunnel & still get the error. I'm running 8.2(1) code.


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS
reply to cramer

Here's the packet-tracer debug. It shows an "ACL-drop" -- but how/where??

DASS-VPN# $ tcp 192.168.27.11 1024 192.168.4.160 ftp detail
DASS-VPN# packet-tracer input EXT-FTP tcp 192.168.27.11 1024 192.168.4.160 ftp$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97893c0, priority=1, domain=permit, deny=false
hits=1748609, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group EXT-FTP-in in interface EXT-FTP
access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp
access-list EXT-FTP-in remark allows traffic out of EXT-FTP network
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca374b68, priority=12, domain=permit, deny=false
hits=292, user_data=0xc78e3af0, cs_id=0x0, flags=0x0, protocol=6
src ip=192.168.27.11, mask=255.255.255.255, port=0
dst ip=192.168.4.160, mask=255.255.255.255, port=21, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc978bbd0, priority=0, domain=permit-ip-option, deny=true
hits=61409, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca101648, priority=70, domain=inspect-ftp, deny=false
hits=623, user_data=0xca1001d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip EXT-FTP 192.168.27.0 255.255.255.0 outside host 192.168.4.160
NAT exempt
translate_hits = 589, untranslate_hits = 5
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca355a68, priority=6, domain=nat-exempt, deny=false
hits=589, user_data=0xca3559a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.27.0, mask=255.255.255.0, port=0
dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255
match ip EXT-FTP host 192.168.27.11 outside any
static translation to 123.123.188.40
translate_hits = 4341, untranslate_hits = 101896
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca373470, priority=5, domain=nat, deny=false
hits=6664, user_data=0xca34e4e0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.27.11, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255
match ip EXT-FTP host 192.168.27.11 outside any
static translation to 123.123.188.40
translate_hits = 4341, untranslate_hits = 101896
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca107068, priority=5, domain=host, deny=false
hits=63395, user_data=0xca34e4e0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.27.11, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca345cf0, priority=0, domain=host-limit, deny=false
hits=6824, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xca2a0f88, priority=70, domain=encrypt, deny=false
hits=2, user_data=0xb27af5c, cs_id=0xc9677ef0, reverse, flags=0x0, protocol=0
src ip=192.168.27.11, mask=255.255.255.255, port=0
dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Phase: 12
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc96b8a10, priority=69, domain=ipsec-user, deny=true
hits=2, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.27.11, mask=255.255.255.255, port=0
dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: EXT-FTP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


batsona
Maryland

join:2004-04-17
Ellicott City, MD
Reviews:
·Vonage
·Verizon FiOS

I'm starting to think I'm talking to myself here.. but I got this to work...

I removed the line indicated below, and it works now. %u2013I put it back in, and it breaks%u2026.. I got desperate, and put the flow into "Remote_vpn_filter" in both directions, in case I had it wrong.. and that still didn't fix it. I don't know WHY this fixed it but it did%u2026.

group-policy RemotePolicy internal
group-policy RemotePolicy attributes
vpn-filter value Remote_vpn_filter
vpn-tunnel-protocol IPSec

ACL is:
access-list Remote_vpn_filter line 1 extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp (hitcnt=1) 0x5b469ada
access-list Remote_vpn_filter line 2 extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp (hitcnt=5) 0xcb381146
access-list Remote_vpn_filter line 3 extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp (hitcnt=0) 0xbf735660
access-list usmcc_vpn_filter line 4 extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp (hitcnt=0) 0x14cdd13d


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

It doesn't work because your vpn filter "Remote_vpn_filter" does not allow it. "usmcc_vpn_filter" line 4 isn't in the correct acl.


batsona
Maryland

join:2004-04-17
Ellicott City, MD

My fault -- typo... line 4 quoted above as the *actual* name of the ACL versus the cleansed name. Line 4's name should also be "Remote_vpn_filter" so that it's consistent.