July 20, 2008 02:01am pdt

1. batry_boy 60,960
2. lrmoore 49,665
3. RobWill 21,300
4. arnold 17,500
5. dpk_wal 14,875
6. mkielar 12,500
7. Voltz-dk 12,420
8. ebjers 12,130
9. MrHusy 10,000
10. Cyclops3590 8,900
11. SteveH_UK 8,000
12. mwecompu... 7,985
13. trinak96 7,865
14. PeteLong 5,975
15. stuknhawaii 4,950

1. lrmoore 309,007
2. RobWill 176,524
3. richrumble 111,117
4. batry_boy 107,335
5. rsivanandan 50,017
6. ahoffmann 44,523
7. grblades 35,012
8. pseudocyber 34,059
9. Cyclops3590 33,775
10. arnold 30,760
11. tim_holman 27,445
12. kbbcnet 26,524
13. dpk_wal 24,875
14. Tolomir 23,651
15. sciwriter 23,050

09.10.2007 at 07:51AM PDT, ID: 22817780

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.0

ASA 5510 - Inbound TCP connection denied from x.x.x.x/1196 to x.x.x.x/11200 flags SYN on interface Inside

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: tcp, denied, connection, inbound, asa

Replaced PIX with ASA 5510 v8.02. Tunnel comes up when traffic is sent, but no traffic gets through.
Not sure what I"m issing. Traffic for other tunnels (not listed in config get through). Traffic for this particular tunnel has to be NATed with external interface since it's going to remote servers.

Below is the syslog message that is generated.
2 Sep 10 2007 08:04:20 106001 Inbound TCP connection denied from 192.168.76.94/1196 to Stibo.81/11200 flags SYN on interface Inside
:
ASA Version 8.0(2)
!

!
interface Ethernet0/0
nameif Outside
security-level 0
ip address HTA_ASA5510-2_EXT 255.255.255.224
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address x.x.x.x 255.255.252.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!

access-list VPN_Stibo_Access remark VPN Access to Stibo network
access-list VPN_Stibo_Access extended permit ip host HTA_ASA5510-2_EXT object-group Stibo_Network

ccess-list Outside_Access_In extended permit ip object-group Stibo_Network host HTA_ASA5510-2_EXT
access-list Outside_Access_In remark Time Service
access-list Outside_Access_In extended permit udp host NTP_Server any eq ntp

access-list Inside_Access_Out extended permit icmp object-group HTA_Offices any
access-list Inside_Access_Out extended permit ip any any inactive
access-list Inside_Access_Out extended permit object-group Stibo_81_Services object-group HTA_Offices host Stibo.81
access-list Inside_Access_Out extended permit tcp object-group HTA_Offices host Stibo.82 eq www
access-list Inside_Access_Out extended permit tcp object-group HTA_Offices host Stibo.83 eq www
access-list Inside_Access_Out extended permit tcp object-group HTA_Offices host Stibo.65 eq citrix-ica
access-list Inside_Access_Out extended permit tcp object-group HTA_Offices host Stibo.66 eq citrix-ica
access-list Inside_Access_Out extended permit object-group Stibo_HTQuark_Services object-group HTA_Offices host Stibo_HTQuark
access-list Inside_Access_Out extended permit ip object-group MKE1_Servers any

access-list MKE_All_To_Stibo extended permit ip host HTA_ASA5510-2_EXT object-group Stibo_Network
access-list Inside_NAT_Outbound extended permit ip object-group HTA_Offices any

pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any DMZ
icmp permit any Inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound
access-group Outside_Access_In in interface Outside
access-group Inside_Access_Out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
imeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map1 2 match address MKE_All_To_Stibo
crypto map Outside_map1 2 set pfs
crypto map Outside_map1 2 set peer Stibo_FW
crypto map Outside_map1 2 set transform-set ESP-3DES-SHA
crypto map Outside_map1 2 set nat-t-disable

crypto map Outside_map1 interface Outside
crypto map outside_map1 1 set pfs
crypto map outside_map1 2 set pfs
crypto map outside_map1 3 set pfs
crypto isakmp enable Outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
!
service-policy global_policy global
ntp server NTP_Server source Outside
tftp-server Inside 192.168.72.102 \ht-wi-mke1-asa5510-2-confg

group-policy VPN_Stibo_Access attributes
vpn-filter value VPN_Stibo_Access
vpn-tunnel-protocol IPSec

tunnel-group 217.28.160.11 type ipsec-l2l
tunnel-group 217.28.160.11 general-attributes
default-group-policy VPN_Stibo_Access
tunnel-group 217.28.160.11 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck

prompt hostname context
Cryptochecksum:a7f2c278e56a5eecad5a8f7391d09e33
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: dmudgett

Solution Provided By: dmudgett

Participating Experts: 1

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

09.10.2007 at 08:40AM PDT, ID: 19861750

Rank: Guru

PeteLong:

>>no crypto isakmp nat-traversal

what is your reason for this?

try changing to

crypto isakmp nat-traversal 20

09.10.2007 at 09:20AM PDT, ID: 19862039

dmudgett:

No reason. Configuration was done via ASDM. i applied that command you gave except I used policy 50. I don't have a plicy 20 listed. End results was the same. No go.

09.10.2007 at 09:24AM PDT, ID: 19862074

dmudgett:

Sorry, I see the 20 represents the keepalive time, not a policy.

09.10.2007 at 10:52AM PDT, ID: 19862763

dmudgett:

Figured it out. The ACL used in the Internal Group Policy on the Tunnel Group was blocking it.

Accepted Solution

09.10.2007 at 11:23AM PDT, ID: 19863017

Vee_Mod:

A request has been made in Community Support to close this question:
http://www.experts-exchange.com/Q_22818445.html

If there are no objections, a moderator will finalize this question in approximately 4 days as follows:
PAQ with refund using {http:#a19862763}

Please leave any recommendations here.

Vee_Mod
Community Support Moderator

09.10.2007 at 11:37AM PDT, ID: 19863129

Rank: Guru

PeteLong:

no probs shut it down :)

09.10.2007 at 12:06PM PDT, ID: 19863360

Vee_Mod:

Closed, 500 points refunded.
Vee_Mod
Community Support Moderator

09.10.2007 at 12:06PM PDT, ID: 19863361

Vee_Mod:

Closed, 500 points refunded.
Vee_Mod
Community Support Moderator

20080236-EE-VQP-29 / EE_QW_2_20070628