Re: ASA FW site-to-site vpn setup with Netscreen FW from kawaii mak on 2011-03-18 (Ccielab archives 03/2011)

From: kawaii mak <kawaii00mak_at_gmail.com>
Date: Fri, 18 Mar 2011 11:45:49 +0800

Dear Ryan, Prof,

It works now......10000xThanks......and guys you are the Expert!!!!!
ICMP deny log after VPN tunnel negotiation due to Netscreen side clicked the
VPN monitor but this is not support for ASA.
Final failure about packet-tracer packet DROP in vpn-filter as ACE is
wrongly configured like Ryan said. Thanks again.

2011/3/17 Ryan West <rwest_at_zyedge.com>

> Kawaii,
>
>
>
> Looks like youre using vpn-filter in your group-policy for the L2L VPN.
> It seems like your ACE is backwards for source and destination. Have a
read
> in the section above this link.
>
>
>
>
>
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_gr
oups.html#wp1134870
>
>
>
> -ryan
>
>
>
> *From:* Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com]
> *Sent:* Thursday, March 17, 2011 12:07 AM
> *To:* kawaii mak
> *Cc:* Ryan West; Cisco certification
>
> *Subject:* Re: ASA FW site-to-site vpn setup with Netscreen FW
>
>
>
> Kawaii,
>
>
> Are allow your access-list for the S2S based on port access or access based
> on ip ?
>
> Please attach a sanitized configuration of both devices and we should be
> able to resolve this issue for you.
>
>
> On Wed, Mar 16, 2011 at 8:09 PM, kawaii mak <kawaii00mak_at_gmail.com>
> wrote:
>
> Dear Ryan, Prof, and all,
>
>
>
> Seems packet can't through outside the ASA5520 by packet-tracer and action
> drop in last step. Is anything wrong in configuration ??
>
> P'se help !!! Thank you very much!!!!
>
>
>
>
>
> ASAFW/pri/act# packet-tracer input inside icmp 10.194.0.56 8 0
> 192.168.1.100 det
>
> Phase: 1
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba30e8, priority=1, domain=permit, deny=false
> hits=4889947683, user_data=0x0, cs_id=0x0, l3_type=0x8
> src mac=0000.0000.0000, mask=0000.0000.0000
> dst mac=0000.0000.0000, mask=0100.0000.0000
>
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 192.168.1.100 255.255.255.255 outside
>
> Phase: 4
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group from-inside-to-internet in interface inside
> access-list from-inside-to-internet extended permit icmp any any
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x742ac240, priority=12, domain=permit, deny=false
> hits=284, user_data=0x6d7d4540, cs_id=0x0, flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 5
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5708, priority=0, domain=inspect-ip-options, deny=true
> hits=78903994, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 6
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5380, priority=66, domain=inspect-icmp-error, deny=false
> hits=298, user_data=0x73ba5268, cs_id=0x0, use_real_addr,
> flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 7
> Type: ACCESS-LIST
> Subtype: vpn-user
> Result: DROP
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> out id=0x73298b68, priority=11, domain=vpn-user, deny=true
> hits=3918, user_data=0x6d7d4c40, filter_id=0x0(-implicit deny-),
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0
>
> Result:
> input-interface: inside
> input-status: up
> input-line-status: up
> output-interface: outside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
>
>
>
> 2011/3/17 Ryan West <rwest_at_zyedge.com>
>
> Prof is right, I read that wrong this AM. If its not routing from the ASA
> / internal network, its probably a no NAT issue.
>
>
>
> Try packet-tracer input inside icmp 10.194.0.56 8 0 192.168.1.100 det and
> see if its failing any of the steps (ACL or NAT). You may need to run the
> command twice if it makes it to the tunnel step.
>
>
>
> -ryan
>
>
>
> *From:* Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com]
> *Sent:* Wednesday, March 16, 2011 3:35 PM
> *To:* Ryan West
> *Cc:* Abiola Jewoola; kawaii mak; Cisco certification
>
>
> *Subject:* Re: ASA FW site-to-site vpn setup with Netscreen FW
>
>
>
> The ASA is not returning any traffic and Phase 2 has formed correctly.
> Verify if the address local to the ASA's network knows how to route back to
> ASA.
>
>
>
>
> On Wed, Mar 16, 2011 at 4:42 AM, Ryan West <rwest_at_zyedge.com> wrote:
>
> I'm a little rusty on netscreen, but it looks like you have your proxies
> matching, but you might be missing a route on the netscreen. Are you doing
> route/tunnel interface mode on your netscreen or policy based? If it's
> route based, what does 'get vpn' and 'get route' show?
>
> You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db
> stream' to see if it's hitting the crypto engine on the netscreen.
>
> Sent from handheld
>
>
> On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola" <biola_y2k_at_yahoo.com> wrote:
>
> > Are u doing any NAT stuff on your ASA?
> >
> > --- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:
> >
> > From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
> > Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
> > To: "kawaii mak" <kawaii00mak_at_gmail.com>
> > Cc: "Cisco certification" <ccielab_at_groupstudy.com>
> > Date: Wednesday, March 16, 2011, 2:17 AM
> >
> > Compare the output of these commands :
> >
> > Netscreen
> > get sa
> > get sa id xxx
> >
> >
> > ASA
> > show crypto ipsec sa peer x.x.x.x
> >
> >
> > This should be enough if Phase 2 is formed.
> >
> >
> >
> >
> > On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com>
> wrote:
> >
> >> Dear Expert,
> >> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
> connect
> >> a Netscreen SSG20 for Site-to-Site VPN tunnel.
> >> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
> initiated
> >> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there
> is
> >> unreachable. And some of message occurs in ASA while packet return back
> >> from
> >> Netscreen side as follow. Is anything wrong in configuration to triggle
> for
> >> these message????
> >> P'se help!!! Thank.
> >>
> >> firewall log
> >> ==============
> >> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
> >> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
> >> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
> >> policy in the SA. The packet specifies its destination as 203.x.x.x,
> its
> >> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
> >> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
> >> 192.168.x.x/
> >> 255.255.255.255/0/0.
> >>
> >> Regards,
> >> Kawaii
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > It is said that if you know your enemies and know yourself, you will not
> be
> > imperiled in a hundred battles; if you do not know your enemies but do
> know
> > yourself, you will win one and lose one; if you do not know your enemies
> nor
> > yourself, you will be imperiled in every single battle.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies
nor
> yourself, you will be imperiled in every single battle.
>
>
>
>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies
nor
> yourself, you will be imperiled in every single battle.

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 18 2011 - 11:45:49 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART