I have a 5510 with an outside, DMZ, and inside network. a VPN is set up between the DMZ and a remote network. If i ping from a device on the remote network, i see it hit both firewalls and TCP dump shows it hit the server( in the DMZ ) and it leave the server. Then the ASA displays this in the log:
6 Sep 10 2009 04:17:51 106015 172.32.1.4 8443 192.168.25.24 48079 Deny TCP (no connection) from 172.32.1.4/8443 to 192.168.25.24/48079 flags SYN ACK on interface DMZ
TCP dump here:
21:25:53.739363 IP 192.168.25.24.48080 > 172.32.1.4.8443: S 3888731917:38887319 17(0) win 5840 <mss 1380,sackOK,timestamp 1120536 0,nop,wscale 5>
21:25:53.739381 IP 172.32.1.4.8443 > 192.168.25.24.48080: S 497603275:497603275 (0) ack 3888731918 win 5792 <mss 1460,sackOK,timestamp 404672461 1120536,nop,ws cale 2>
any help or idea what is happening is appreciated...
here is the config:
ASA Version 8.2(1)
!
hostname DTS-ASA
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ***.***.***.228 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.129.2.131 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.32.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name *****
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 8443
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 8443
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp
object-group network Internal-Networks
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.127.0.0 255.255.0.0
network-object 10.129.0.0 255.255.0.0
access-list inside_access_in remark Any host on 10.129.0/24 can access these protocols on the DMZ interface
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 172.32.1.0 255.255.255.0
access-list inside_access_in remark Need to lock this down, all ip protocols being passed
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in remark Any host on DMZ can access any protocol on any Network
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in remark permit ICMP from Uplogix Control Center to anywhere
access-list DMZ_access_in extended permit icmp host 172.32.1.4 any
access-list DMZ_access_in remark permit access from Uplogix Control Center to RUDICS VPN
access-list DMZ_access_in extended permit ip host 172.32.1.4 192.168.25.0 255.255.255.0
access-list DMZ_access_in remark deny access to the rest of your Internal Network from the DMZ
access-list DMZ_access_in extended deny ip 172.32.1.0 255.255.255.0 object-group Internal-Networks log notifications
access-list DMZ_access_in remark permit access to the rest of the Internet from the DMZ
access-list DMZ_access_in extended permit ip 172.32.1.0 255.255.255.0 any
access-list outside_access_in remark Internet to Uplogix Control Center
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host ***.***.***.248
access-list outside_access_out extended permit tcp 10.129.2.0 255.255.255.0 gt 1024 any eq access-list inside_access_out extended permit ip 10.129.2.0 255.255.255.0 ***.***.***.224 255.255.255.224
access-list nat0_inside_to_dmz extended permit ip 10.0.0.0 255.0.0.0 172.32.1.0 255.255.255.0
access-list nat0_inside_to_dmz remark Admin VPN addresses
access-list nat0_inside_to_dmz extended permit ip any 10.129.2.12 255.255.255.252
access-list nat0_DMZ_to_inside extended permit ip 172.32.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nat0_DMZ_to_inside extended permit ip 172.32.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip 172.32.1.0 255.255.255.0 192.168.25.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_admin_pool 10.129.2.12-10.129.2.15 mask 255.255.255.252
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside_to_dmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nat0_DMZ_to_inside
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) ***.***.***.248 172.32.1.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 ***.***.***.228 1
route inside 172.32.1.0 255.255.255.0 172.32.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.129.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RUDICS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set connection-type originate-only
crypto map outside_map0 1 set peer 12.47.179.126
crypto map outside_map0 1 set transform-set RUDICS
crypto map outside_map0 1 set security-association lifetime seconds 3600
crypto map outside_map0 1 set nat-t-disable
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh 10.129.2.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 10.129.2.130
dhcpd domain dtscom.local
dhcpd update dns
!
dhcpd dns 10.129.2.130 interface DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DTS_admin_tunnel internal
group-policy DTS_admin_tunnel attributes
dns-server value 10.129.2.130
vpn-tunnel-protocol IPSec
group-policy RUDICS-GPOL internal
group-policy RUDICS-GPOL attributes
vpn-filter none
vpn-tunnel-protocol IPSec
username admin password XjpY/G.XCND3JTS9 encrypted
tunnel-group DTS_admin_tunnel type remote-access
tunnel-group DTS_admin_tunnel general-attributes
address-pool VPN_admin_pool
default-group-policy DTS_admin_tunnel
tunnel-group DTS_admin_tunnel ipsec-attributes
pre-shared-key *
tunnel-group 12.47.179.126 type ipsec-l2l
tunnel-group 12.47.179.126 general-attributes
default-group-policy RUDICS-GPOL
tunnel-group 12.47.179.126 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*****
: end
6 Sep 10 2009 04:17:51 106015 172.32.1.4 8443 192.168.25.24 48079 Deny TCP (no connection) from 172.32.1.4/8443 to 192.168.25.24/48079 flags SYN ACK on interface DMZ
TCP dump here:
21:25:53.739363 IP 192.168.25.24.48080 > 172.32.1.4.8443: S 3888731917:38887319 17(0) win 5840 <mss 1380,sackOK,timestamp 1120536 0,nop,wscale 5>
21:25:53.739381 IP 172.32.1.4.8443 > 192.168.25.24.48080: S 497603275:497603275 (0) ack 3888731918 win 5792 <mss 1460,sackOK,timestamp 404672461 1120536,nop,ws cale 2>
any help or idea what is happening is appreciated...
here is the config:
ASA Version 8.2(1)
!
hostname DTS-ASA
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ***.***.***.228 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.129.2.131 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.32.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name *****
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 8443
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 8443
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp
object-group network Internal-Networks
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.127.0.0 255.255.0.0
network-object 10.129.0.0 255.255.0.0
access-list inside_access_in remark Any host on 10.129.0/24 can access these protocols on the DMZ interface
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 172.32.1.0 255.255.255.0
access-list inside_access_in remark Need to lock this down, all ip protocols being passed
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in remark Any host on DMZ can access any protocol on any Network
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in remark permit ICMP from Uplogix Control Center to anywhere
access-list DMZ_access_in extended permit icmp host 172.32.1.4 any
access-list DMZ_access_in remark permit access from Uplogix Control Center to RUDICS VPN
access-list DMZ_access_in extended permit ip host 172.32.1.4 192.168.25.0 255.255.255.0
access-list DMZ_access_in remark deny access to the rest of your Internal Network from the DMZ
access-list DMZ_access_in extended deny ip 172.32.1.0 255.255.255.0 object-group Internal-Networks log notifications
access-list DMZ_access_in remark permit access to the rest of the Internet from the DMZ
access-list DMZ_access_in extended permit ip 172.32.1.0 255.255.255.0 any
access-list outside_access_in remark Internet to Uplogix Control Center
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host ***.***.***.248
access-list outside_access_out extended permit tcp 10.129.2.0 255.255.255.0 gt 1024 any eq access-list inside_access_out extended permit ip 10.129.2.0 255.255.255.0 ***.***.***.224 255.255.255.224
access-list nat0_inside_to_dmz extended permit ip 10.0.0.0 255.0.0.0 172.32.1.0 255.255.255.0
access-list nat0_inside_to_dmz remark Admin VPN addresses
access-list nat0_inside_to_dmz extended permit ip any 10.129.2.12 255.255.255.252
access-list nat0_DMZ_to_inside extended permit ip 172.32.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nat0_DMZ_to_inside extended permit ip 172.32.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip 172.32.1.0 255.255.255.0 192.168.25.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_admin_pool 10.129.2.12-10.129.2.15 mask 255.255.255.252
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside_to_dmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nat0_DMZ_to_inside
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) ***.***.***.248 172.32.1.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 ***.***.***.228 1
route inside 172.32.1.0 255.255.255.0 172.32.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.129.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RUDICS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set connection-type originate-only
crypto map outside_map0 1 set peer 12.47.179.126
crypto map outside_map0 1 set transform-set RUDICS
crypto map outside_map0 1 set security-association lifetime seconds 3600
crypto map outside_map0 1 set nat-t-disable
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh 10.129.2.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 10.129.2.130
dhcpd domain dtscom.local
dhcpd update dns
!
dhcpd dns 10.129.2.130 interface DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DTS_admin_tunnel internal
group-policy DTS_admin_tunnel attributes
dns-server value 10.129.2.130
vpn-tunnel-protocol IPSec
group-policy RUDICS-GPOL internal
group-policy RUDICS-GPOL attributes
vpn-filter none
vpn-tunnel-protocol IPSec
username admin password XjpY/G.XCND3JTS9 encrypted
tunnel-group DTS_admin_tunnel type remote-access
tunnel-group DTS_admin_tunnel general-attributes
address-pool VPN_admin_pool
default-group-policy DTS_admin_tunnel
tunnel-group DTS_admin_tunnel ipsec-attributes
pre-shared-key *
tunnel-group 12.47.179.126 type ipsec-l2l
tunnel-group 12.47.179.126 general-attributes
default-group-policy RUDICS-GPOL
tunnel-group 12.47.179.126 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*****
: end