Firewall Wizards: Re: asa 5505 vpn ipsec l2l problem

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: asa 5505 vpn ipsec l2l problem

From: Eric Gearhart <eric () nixwizard net>
Date: Mon, 5 Oct 2009 21:45:33 -0700

On Sat, Oct 3, 2009 at 5:38 AM, Hrvoje Popovski <hrvoje () srce hr> wrote:

 > If you're not seeing IPsec build the tunnel with debug crypto, I would

guess that traffic is getting NAT'd out, and not hitting the tunnel (by
the way, you probably only need debug crypto ipsec 5, not 100...)


Do you have NAT setup on the 5505? If you do, do you have a NAT exclude
ACL setup that excludes "your device networks -> remote device networks"?

--
Eric

hello eveyone,

first thanks everyone who replay on my post.
I can't established SA, crypto acl is the same on both ends, well they tell
me so. I can't see config on other side but maybe from log that i can se on
my ASA i think that problem is on my side. I realy don't know maybe problem
is in licence (10 inside hosts) but i have only 2 inside hosts
(192.168.11.11 and 11.12).
I will try to apply crypto acl with ip rule and see what happens.

I think this was previously mentioned by Paul Melson... try to use IP
addresses in your IPsec interesting traffic ACL... I agree with him, that
having specific ports in ACL1 is the problem, as far as I know

So ACL1 is now:
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
ftp-data
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp-data

ACL1 should be:
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.13
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.110.250
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.13
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.110.250
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105
access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105

At least try this config, and see if it works... worst case roll it back to
what you had before.

Do a 'debug cry isa 5' and try to ping a remote host from e.g. 10.1.100.13
and see if the tunnel tries to build

--
Eric

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Re: asa 5505 vpn ipsec l2l problem, (continued)
- Re: asa 5505 vpn ipsec l2l problem Christopher J. Wargaski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Paul Melson (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 02)
  - Re: asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 04)
    - Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem craig . wilson (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 08)