ASA 5505 ftp establishes one direction but not other 1

[chunalt787]

So we had a consultant come in and set up two ASA 5505's with a site to site vpn configuration. When we left last night we could establish an ftp connection from home to site1 and the other way around. Now this morning I am able to ftp from home to site1 however not from site1 to home. All I had done was to change the password on site1. I can ping all over the place so connectivity is definately there. The configs are posted below with their respective 'show crypto isakmp sa' outputs. I am 100% that the ip addresses are correct.

The only difference between the configs, aside from the ip addresses, is the access-group lines located about 1/4 down the config. I have also noticed that when I show the crypto iskamp sa the home site is always the initiator and site1 is always the responder. It never changes. Idk if this is normal though.

I'm somewhere between a novice and a noob at this so any help is much appreciated.

SITE 1 CONFIG:

ASA Version 8.0(4) 
!
hostname AsaSite1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.50.6 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 10 extended permit ip any any 
access-list 10 extended permit icmp any any 
access-list inside_outbound extended permit ip any any 
access-list 20 extended permit ip any any 
access-list 20 extended permit icmp any any 
access-list 30 extended permit ip any any 
access-list 30 extended permit icmp any any 
access-list 134 extended permit ip any any 
access-list 40 extended permit ip any any 
access-list 40 extended permit icmp any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group 10 in interface inside
access-group 20 out interface inside
access-group 20 in interface outside
access-group 30 out interface outside
!
router eigrp 100
 network 134.133.56.0 255.255.255.0
 network 192.168.50.4 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 192.168.50.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 134.133.56.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANSFORM1 esp-aes-256 esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN1 20 set pfs 
crypto dynamic-map VPN1 20 set transform-set TRANSFORM1
crypto dynamic-map VPN1 20 set security-association lifetime seconds 28800
crypto dynamic-map VPN1 20 set security-association lifetime kilobytes 4608000
crypto map TO_HOME 56 match address 134
crypto map TO_HOME 56 set pfs 
crypto map TO_HOME 56 set peer 192.168.50.5 
crypto map TO_HOME 56 set transform-set TRANSFORM1
crypto map TO_HOME 56 set security-association lifetime seconds 28800
crypto map TO_HOME 56 set security-association lifetime kilobytes 4608000
crypto map TO_HOME 65535 ipsec-isakmp dynamic VPN1
crypto map TO_HOME interface outside
crypto map TO_HOME1 56 set security-association lifetime seconds 28800
crypto map TO_HOME1 56 set security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.50.5 type ipsec-l2l
tunnel-group 192.168.50.5 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:6f919e5d002b005a680f62c45965a9bc
: end



AsaSite1# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.50.5
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

HOME SITE CONFIG:

ASA Version 8.0(4) 
!
hostname AsaHome
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.30.1.5 255.255.255.252 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.50.5 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 10 extended permit ip any any 
access-list 10 extended permit icmp any any 
access-list inside_outbound extended permit ip any any 
access-list 20 extended permit ip any any 
access-list 20 extended permit icmp any any 
access-list 30 extended permit ip any any 
access-list 30 extended permit icmp any any 
access-list 40 extended permit ip any any 
access-list 40 extended permit icmp any any 
access-list 134 extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group 10 in interface inside
access-group 40 out interface inside
access-group 20 in interface outside
access-group 30 out interface outside
!
router eigrp 100
 network 172.30.1.4 255.255.255.252
 network 192.168.50.4 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 192.168.50.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.30.1.4 255.255.255.252 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANSFORM1 esp-aes-256 esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN1 20 set pfs 
crypto dynamic-map VPN1 20 set transform-set TRANSFORM1
crypto dynamic-map VPN1 20 set security-association lifetime seconds 28800
crypto dynamic-map VPN1 20 set security-association lifetime kilobytes 4608000
crypto map TO_SITE1 56 match address 134
crypto map TO_SITE1 56 set pfs 
crypto map TO_SITE1 56 set peer 192.168.50.6 
crypto map TO_SITE1 56 set transform-set TRANSFORM1
crypto map TO_SITE1 56 set security-association lifetime seconds 28800
crypto map TO_SITE1 56 set security-association lifetime kilobytes 4608000
crypto map TO_SITE1 200 set security-association lifetime seconds 28800
crypto map TO_SITE1 200 set security-association lifetime kilobytes 4608000
crypto map TO_SITE1 65535 ipsec-isakmp dynamic VPN1
crypto map TO_SITE1 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.50.6 type ipsec-l2l
tunnel-group 192.168.50.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:4ab803cd550d56a7d533d42f7d26ad47
: end



AsaHome(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.50.6
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
AsaHome(config)#

Thanks!

 

[Supergrrover]

A consultant did this ????


access-list 10 extended permit ip any any
access-list 10 extended permit icmp any any
access-list inside_outbound extended permit ip any any
access-list 20 extended permit ip any any
access-list 20 extended permit icmp any any
access-list 30 extended permit ip any any
access-list 30 extended permit icmp any any
access-list 40 extended permit ip any any
access-list 40 extended permit icmp any any
access-list 134 extended permit ip any any
nat (inside) 0 access-list inside_outbound

access-group 10 in interface inside
access-group 40 out interface inside
access-group 20 in interface outside
access-group 30 out interface outside

crypto map TO_SITE1 56 match address 134

Really?! What was their experience level?

What is the topology for this? What were the exact design goals? Do you need routing protocols at all?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[chunalt787]

She came highly recomended and had over 10 years in IT work. This is for a closed intranet with static IP's. I have a feeling I'm going to get an answer that I don't want so I'm heasitant to ask this question but what makes you ask about the access-list's?

On a side note I was able to resolve the problem. I made both sites have the same access-groups and then tried two different computers and it connected. I guess there was something wrong with the PC's that I was using.

Thanks for the reply

 

[Supergrrover]

from the acl's it appears that they are VERY new to cisco and security. I think they were just happy to get it working but it shows no understanding and certainly no experience. I expect this from a brand new student/trainee for ccna.

I suggest you thoroughly go over your design goals and make sure they are met. post them if you want one of is to take a look and give you our 2 cents. - as you can see most of us have change for a dollar.

Brent
Systems Engineer / Consultant
CCNP, CCSP