Solved

Routing Traffic Through IPSec Tunnel on Cisco ASA

Posted on 2009-07-09
11
3,058 Views
Last Modified: 2012-05-07
This on is for the ages!   I would give a million points if I could if someone figures this one out.

I have a Cisco ASA 5510, I am initiating a VPN tunnel to a vendor who has a NetScreen FW on teh other end.  The tunnels, not a problem, get those intitiated with no problem.  The problem comes when I try to pass SCTP (protocol 132) over the VPN....the firewall just doesn't see it as interesting traffic.  This is NOT a config issue, I have had both the vendor AND Cisco say my config is fine....

Ultimately the problem Cisco said is they do nto support SCTP.  It turns out we cannot wrap it in TCP?UDP, etc.  So my qustion is, can I just route through the ASA without packet or protocol inspection?  Or any other creative ideas people my have out there....please I am desperate to figure this out!!!
0
Comment
Question by:authentify
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24819714
Does the vendor have other clients using an ASA as the VPN endpoint?

Can you post your config anyway?
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24819831
if your config has a permit entry for proto 132 in the acl used in the match address statement of the crypto definition, this should work fine. you can verify that the asa is trying to do the right thing by "sh access-l <list name>" and you will see a counter at the end of each line, indicating matching traffic. look at the line with proto 132 to verify that much is right.

next, "sh cry ips sa peer <netscreen public address>" will show if an sa has been established for this traffic, plus encrypted and decrypted traffic count. if both of these show other than 0, you should be in business.
0
 
LVL 1

Author Comment

by:authentify
ID: 24819970
Yeh I did the sh access-list thing with both the Cisco tech and the the vendor.  Here is what happens....

I can initiate a tunnle by doing a simple ICMP (Ping) request from a node on the network that is supposed to go over the VPN Tunnel.  When I packet sniff those ICMP requests, I see it hit the interface, translate and end up ESP traffic over the tunnel and back....the vendor verify he sees the pings on the other end....no problem......I do a SCTP request from that same node, I see it hit the interface, not get translated and then egress the outside interface....clearly not headed for the VPN tunnel.....for whatever reason the FW does not see it as interesting traffic.....I have specified Proto 132 and the hit count remains "0".  In the packet sniff I can clearly see in the IP header Proto:SCTP
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 1

Author Comment

by:authentify
ID: 24819972
asaevener,

They say they do but to what capacity they do not specify...so are they passing SCTP?  Who knows...I can post my config but it will have to be tomorrow......
0
 
LVL 28

Expert Comment

by:asavener
ID: 24820211
Sounds like the SCTP traffic gets picked up by NAT.  (Cisco devices have an order of operations; NAT takes place before crypto.)

Make sure you have a "nat (inside) 0 access-list <ACL-name>" command, and that the SCTP traffic is listed in the access list.
0
 
LVL 1

Author Comment

by:authentify
ID: 24820306
So I created access-list 199...allowed 192.168.1.x to any Destination and defined the 132 protocol with an object group....I can't apply the NAT because it says "access list 199 contains a protocol or port"

If I list ip, that doesn't seem to natively cover 132 for some reason.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24822611
OK, try "nat (inside) 0 192.68.1.0 255.255.255.0".
0
 
LVL 28

Expert Comment

by:asavener
ID: 24824462
Er... Should be "192.168.1.0"
0
 
LVL 1

Author Comment

by:authentify
ID: 24824869
Yeh no nat is not going to work....from my understanding...my crypto map is from 66.54.x.x to the destination on the other end...my static nat is from 192.168.x.x to 66.54.x.x...no nat means no traffic is sent to the crypto map ACL....so when I put a no nat statement in no traffic goes over the vpn...

So it looks from packet sniffs that the nat works in getting it to the outside interface it is just ignored by the crytpo map as uninteresting traffic.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 24825872
So, does a "show xlate" display the SCTP traffic as being NAT'd correctly?

Still kinda flying in the dark here, without a config to peruse.
0
 
LVL 1

Author Comment

by:authentify
ID: 24836973
Hey all sorry to go dark there for a little bit....the truth is that setting up the VPN through thye ASDM is not rocket science, so it was clear that the acl and ace's were all correct, especially since ICMP traffic would clearly use the correct crypto map ACL....the problem is with the SCTP traffic specifically.  

It clearly does not like being NAT'd...this goes back to the ASA's having no native support for SCTP.  When i set up the vpn tunnel as a direct connect network....menaing the other end accepting traffic directly from the nodes and not translating the address, it worked fine.  

asavener, you were correct in the nat was the problem, but it is further than that just a bit.  The ASA does not want to translate addreses when the protocol is SCTP and Cisco has confirmed that.....very disappointed in Cisco though, this protocol is not that new....
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question