Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA Blocking Ports over VPN 1

Status
Not open for further replies.

usfregale

Technical User
May 1, 2009
33
US
We have a VPN built by a single ASA 5510 at the center and ASA5505s at the spokes. There are about 40 spokes. Some time ago we began having trouble with traffic back and forth between two of the sites -- it appeared that certain ports were being blocked through the VPN tunnel. After much work we finally determined that the ASA was either blocking ports through the tunnel or somehow filtering packets. This was determined by bringing the two relevant devices (phone systems) together on a single LAN where they are able to athenticate with one another flawlessly. They are not able to properly athenticate with one another over the VPN.

Thank you in advance for your thoughts.

Richard

Here are the relevant ASA configs:

Central Site

JHSCHQ(config)# show run
: Saved
:
ASA Version 8.0(4)
!
hostname JHSCHQ
domain-name default.domain.invalid
enable password xxxx encrypted
passwd xxxx encrypted
names
name 10.20.0.35 time
name 10.20.0.10 mail
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.114.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.115.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.116.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.117.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.118.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.119.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.120.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.121.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.122.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.124.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.125.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.126.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.127.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.128.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.129.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.106.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.133.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.152.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.154.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.155.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.156.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.157.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.158.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.160.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.161.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.170.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.171.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonat extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.131.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list vpn_to_jh70333 extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh13765 extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh13765 extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh13765 extended permit ip 10.131.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh51829 extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list vpn_to_jh18114 extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list vpn_to_jh71216 extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.101.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list vpn_to_jh50642 extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list vpn_to_hg51135 extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list vpn_to_jh70244 extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list vpn_to_jh50630 extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list vpn_to_JH18640 extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list vpn_to_jh70952 extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonatout extended permit ip 10.105.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list nonatout extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonatout extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list acl_outside extended permit tcp any host 70.63.248.110
access-list vpn_to_JHROUTER2 extended permit ip 10.20.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list vpn_to_JHROUTER2 extended permit ip 10.101.0.0 255.255.255.0 10.131.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 10.20.0.11 netmask 255.0.0.0
global (inside) 1 time netmask 255.0.0.0
nat (outside) 0 access-list nonatout
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8050 time 8050 netmask 255.255.255.255
static (inside,outside) tcp interface 8085 time 8085 netmask 255.255.255.255
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255
static (inside,outside) tcp interface https mail https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 12:00:00 half-closed 12:00:00 udp 12:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 12:00:00 h225 12:00:00 mgcp 12:00:00 mgcp-pat 12:00:00
timeout sip 0:30:00 sip_media 0:10:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 3:00:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.20.0.0 255.255.255.0 management
snmp-server host inside 10.123.0.158 community public
snmp-server location Processing
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-AES-MD5
crypto dynamic-map outside_dyn_map 5 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 65500 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns mail 24.25.5.60
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.20.0.32,MCPORT=1719"
!
dhcpd address 10.20.0.100-10.20.0.205 inside
dhcpd enable inside
!
priority-queue outside
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
username cisco password xxx encrypted privilege 15
username blynch password xxx encrypted privilege 0
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class Voice
priority
policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
service-policy Voicepolicy interface outside
prompt hostname context
Cryptochecksum:xxxxx
: end


Spoke site:

JH18363(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname JH18363
domain-name default.domain.invalid
enable password xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.105.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_to_jhschq extended permit ip 10.105.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list vpn_to_jhschq extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging trap debugging
logging asdm informational
logging host inside 10.105.0.152
logging debug-trace
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 0.0.0.0 255.255.255.255 outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.105.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto dynamic-map ouside_map 5 set reverse-route
crypto map outside_map 10 match address vpn_to_jhschq
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set ESP-AES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 10.20.0.33 255.255.255.255 outside
telnet timeout 5
ssh 10.105.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd domain PCDEEOF18363
dhcpd auto_config outside
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.105.0.33,MCPORT=1719"
!
dhcpd address 10.105.0.150-10.105.0.181 inside
dhcpd enable inside
!

priority-queue outside
tx-ring-limit 256
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
match flow ip destination-address
match tunnel-group x.x.x.x
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500
!
service-policy global_policy global
service-policy Voicepolicy interface outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
: end
JH18363(config)#
 
first thing I might try is turn off the TCP timeouts for H323 and disable your inspect maps for tftp, and RTSP
 
usfregale,

Did you find a solution to your issue. We are experiencing the same issue where certain tcp/udp ports don't seem to be working across our site to site ipsec tunnels. We actually have site to site ipsec tunnels between 2800's where the same application has no issues. The site to site tunnel between 2 5505's is where we see issues.

thanks,
bh
 
The suggestion provided here for disabling the inspect maps was successful in resolving this problem.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top