RE: ASA FW site-to-site vpn setup with Netscreen FW

Kawaii,

Looks like you're using vpn-filter in your group-policy for the L2L VPN. It
seems like your ACE is backwards for source and destination. Have a read in
the section above this link.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_gr
oups.html#wp1134870

-ryan

From: Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com]
Sent: Thursday, March 17, 2011 12:07 AM
To: kawaii mak
Cc: Ryan West; Cisco certification
Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW

Kawaii,

Are allow your access-list for the S2S based on port access or access based on
ip ?

Please attach a sanitized configuration of both devices and we should be able
to resolve this issue for you.

On Wed, Mar 16, 2011 at 8:09 PM, kawaii mak
<kawaii00mak_at_gmail.com<mailto:kawaii00mak_at_gmail.com>> wrote:
Dear Ryan, Prof, and all,

Seems packet can't through outside the ASA5520 by packet-tracer and action
drop in last step. Is anything wrong in configuration ??
P'se help !!! Thank you very much!!!!

ASAFW/pri/act# packet-tracer input inside icmp 10.194.0.56 8 0 192.168.1.100
det

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x73ba30e8, priority=1, domain=permit, deny=false
        hits=4889947683, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.100 255.255.255.255 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-inside-to-internet in interface inside
access-list from-inside-to-internet extended permit icmp any any
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x742ac240, priority=12, domain=permit, deny=false
        hits=284, user_data=0x6d7d4540, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x73ba5708, priority=0, domain=inspect-ip-options, deny=true
        hits=78903994, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x73ba5380, priority=66, domain=inspect-icmp-error, deny=false
        hits=298, user_data=0x73ba5268, cs_id=0x0, use_real_addr, flags=0x0,
protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x73298b68, priority=11, domain=vpn-user, deny=true
        hits=3918, user_data=0x6d7d4c40, filter_id=0x0(-implicit deny-),
protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

2011/3/17 Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
Prof is right, I read that wrong this AM. If it's not routing from the ASA /
internal network, it's probably a no NAT issue.

Try 'packet-tracer input inside icmp 10.194.0.56 8 0 192.168.1.100 det' and
see if it's failing any of the steps (ACL or NAT). You may need to run the
command twice if it makes it to the tunnel step.

-ryan

From: Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com<mailto:dr3d3m3nt0_at_gmail.com>]
Sent: Wednesday, March 16, 2011 3:35 PM
To: Ryan West
Cc: Abiola Jewoola; kawaii mak; Cisco certification

Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW

The ASA is not returning any traffic and Phase 2 has formed correctly.
Verify if the address local to the ASA's network knows how to route back to
ASA.

On Wed, Mar 16, 2011 at 4:42 AM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
I'm a little rusty on netscreen, but it looks like you have your proxies
matching, but you might be missing a route on the netscreen. Are you doing
route/tunnel interface mode on your netscreen or policy based? If it's route
based, what does 'get vpn' and 'get route' show?

You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db stream'
to see if it's hitting the crypto engine on the netscreen.

Sent from handheld

On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola"
<biola_y2k_at_yahoo.com<mailto:biola_y2k_at_yahoo.com>> wrote:

> Are u doing any NAT stuff on your ASA?
>
> --- On Wed, 3/16/11, Mad_Prof
<dr3d3m3nt0_at_gmail.com<mailto:dr3d3m3nt0_at_gmail.com>> wrote:
>
> From: Mad_Prof <dr3d3m3nt0_at_gmail.com<mailto:dr3d3m3nt0_at_gmail.com>>
> Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
> To: "kawaii mak" <kawaii00mak_at_gmail.com<mailto:kawaii00mak_at_gmail.com>>
> Cc: "Cisco certification"
<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
> Date: Wednesday, March 16, 2011, 2:17 AM
>
> Compare the output of these commands :
>
> Netscreen
> get sa
> get sa id xxx
>
>
> ASA
> show crypto ipsec sa peer x.x.x.x
>
>
> This should be enough if Phase 2 is formed.
>
>
>
>
> On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak
<kawaii00mak_at_gmail.com<mailto:kawaii00mak_at_gmail.com>> wrote:
>
>> Dear Expert,
>> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
connect
>> a Netscreen SSG20 for Site-to-Site VPN tunnel.
>> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
initiated
>> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there
is
>> unreachable. And some of message occurs in ASA while packet return back
>> from
>> Netscreen side as follow. Is anything wrong in configuration to triggle
for
>> these message????
>> P'se help!!! Thank.
>>
>> firewall log
>> ==============
>> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
>> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
>> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
>> policy in the SA. The packet specifies its destination as 203.x.x.x, its
>> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
>> proxy as 10.194.x.x/255.255.255.255/0/0<http://255.255.255.255/0/0> and its
remote_proxy as
>> 192.168.x.x/
>> 255.255.255.255/0/0<http://255.255.255.255/0/0>.
>>
>> Regards,
>> Kawaii
>>
>>
>> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies
nor
> yourself, you will be imperiled in every single battle.
>
>
> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

--
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do know
yourself, you will win one and lose one; if you do not know your enemies nor
yourself, you will be imperiled in every single battle.
--
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do know
yourself, you will win one and lose one; if you do not know your enemies nor
yourself, you will be imperiled in every single battle.
Blogs and organic groups at http://www.ccie.net