Cisco ASA 5505 to CheckPoint FW VPN tunnel and management of ASA through tunnel

einangen
einangen used Ask the Experts™
on
Hi.  

I am trying to set up a VPN tunnel from some remote location to our central firewall.  There is a Cisco ASA 5505 on the remote location, a CheckPoint firewall in our main location.

I would like every last bit of data to go through the tunnel, including management of the ASA itself.  The CheckPoint firewall is supposed to take care of the "firewalling", so nothing needs to be filtered at the remote location, except the fact that _only_ traffic to or from our main network should be allowed, no internet access.

The problem is, if I can manage the ASA through the tunnel, the tunnel itself is useless, but if the tunnel is in use, I cannot manage the ASA.  

With the config I am running now, posted below, I seem able to initiate the tunnel from the remote location, but every time I try pinging or otherwise contact the remote location from the main network, I get an error like this:
%ASA-3-313001: Denied ICMP type=8, code=0 from 172.30.4.213 on interface utside%ASA-3-713042: IKE Initiator unable to find policy: Intf utside, Src: <ip of ASA>, Dst: <ip of my computer>

I am at a loss as to how I can make the IKE initiator find a policy, as I can't say I know where to make it look, so to say. :-)

The config below is modified to cut some of the insignificant crap and disguise some of the network topology and passwords.

I am fairly certain this is an ACL/crypto map problem, but I have been staring at this for so long, I am probably too blinded by it all to see the solution.


I would have given a lot more points for this solution, but I am fairly new to E-E.com...


: Saved
:
ASA Version 8.2(1)
!
terminal width 150
hostname asa-lakseveien
domain-name XXX.no
enable password * encrypted
passwd  * encrypted
names
name <some internal network ip> ADM_gml
name <some internal network ip> SS_server_gml
name <some internal network ip> SS_server
name <some internal network ip> ADM_server
<--- A few more internal networks ---->
name <network address of the remote location> VPN_lakseveien
name <ip of domain controller/DNS> hkdc02
name <ip of checkpoint firewall> hkgw01
!
interface Vlan81
 nameif innside
 security-level 100
 ip address <ip of "innside" interface - private address> 255.255.255.240
!
interface Vlan99
 nameif utside
 security-level 0
 ip address <ip of "utside" interface - public address> 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 99
!
interface Ethernet0/1
 switchport access vlan 81
!
interface Ethernet0/2
 switchport access vlan 81
!
interface Ethernet0/3
 switchport access vlan 81
!
interface Ethernet0/4
 switchport access vlan 81
!
interface Ethernet0/5
 switchport access vlan 81
!
interface Ethernet0/6
 switchport access vlan 81
!
interface Ethernet0/7
 switchport access vlan 81
!
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup innside
dns domain-lookup utside
dns server-group DefaultDNS
 domain-name XXX.no
dns server-group hk_dns
 name-server hkdc01
 name-server hkdc02
 domain-name XXX.no
dns-group hk_dns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type grp_ICMP_allowed
 icmp-object echo-reply
 icmp-object echo
 icmp-object unreachable
 icmp-object time-exceeded
object-group network grp_hk_ss_nett
 network-object SS_server_gml 255.255.128.0
 network-object SS_arbst_gml 255.255.128.0
 network-object SS_server 255.255.255.0
object-group network grp_hk_adm_nett
 network-object ADM_gml 255.255.0.0
 network-object ADM_server 255.255.255.0
object-group protocol grp_proto
 protocol-object tcp
 protocol-object udp
 protocol-object icmp
 protocol-object ip
object-group network grp_VPN_innside
 description Innsiden av VPN-nettet
 network-object VPN_lakseveien 255.255.255.240
object-group network grp_hk_nett
 group-object grp_hk_ss_nett
 group-object grp_hk_adm_nett
object-group network grp_hk_alle_nett
 group-object grp_hk_nett
 group-object grp_VPN_innside
 network-object <ip of "utside" interface> 255.255.255.255
access-list acl_alle extended permit object-group grp_proto object-group grp_hk_alle_nett object-group grp_hk_alle_nett
access-list acl_alle extended permit object-group grp_proto host <ip of "innside" interface> object-group grp_hk_alle_nett
access-list acl_alle extended permit object-group grp_proto host <ip of "utside" interface> object-group grp_hk_alle_nett
pager lines 40
logging enable
logging timestamp
logging list syslog_informational level informational
logging list syslog_notifications level notifications
logging buffer-size 16384
logging console syslog_notifications
logging buffered syslog_notifications
logging trap syslog_notifications
logging history syslog_notifications
logging asdm syslog_notifications
logging device-id hostname
logging host utside hksyslog
logging flash-bufferwrap
mtu innside 1500
mtu utside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group acl_alle in interface innside
access-group acl_alle out interface innside
access-group acl_alle in interface utside
access-group acl_alle out interface utside
route utside 0.0.0.0 0.0.0.0 hkgw01 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http ADM_it 255.255.255.0 innside
http VPN_lakseveien 255.255.255.240 innside
http ADM_server 255.255.255.0 innside
http ADM_gml 255.255.0.0 innside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cryptomap 1 match address acl_alle
crypto map cryptomap 1 set peer hkgw01
crypto map cryptomap 1 set transform-set ESP-AES-256-SHA
crypto map cryptomap interface innside
crypto map cryptomap interface utside
crypto isakmp enable innside
crypto isakmp enable utside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp am-disable
telnet timeout 5
ssh scopy enable
ssh ADM_it 255.255.255.0 innside
ssh ADM_server 255.255.255.0 innside
ssh ADM_gml 255.255.0.0 innside
ssh VPN_lakseveien 255.255.255.240 innside
ssh timeout 30
ssh version 2
console timeout 0
management-access innside
!
tunnel-group <ip of external firewall> type ipsec-l2l
tunnel-group <ip of external firewall> ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Okay, seems like either this was a tough one, or I didn't award enough points.  

However, I found the solution myself, after talking to a CCIE for half an hour.  It turned out I was right, this was an ACL/crypto map problem.  Still not sure exactly where it went wrong, but after making the setup a lot simpler, I got it working.

Now, I use an ACL that looks like this:

access-list 101 extended permit ip any any

and crypto map that look like this:

crypto map kryptering 10 match address 101
crypto map kryptering 10 set peer hkgw01
crypto map kryptering 10 set transform-set ESP-AES-256-SHA
crypto map kryptering interface utside

The access-list is enabled in all directions on all interfaces, and there is only one route, namely to our main site firewall.

This effectively accepts _everything_ to and from our main firewall, as long as it is encrypted with the crypto map, which in turn ensures it is only our own traffic that is allowed through.  As stated originally, this is our intent, the firewall takes care of the rest of the security.

This method also opened up another solution, as dhcprelay needed special attention in the previous setup.  It seems that the reply to dhcprelay requests are missing the source information in the IP packet (Not sure that is entirely true, I am no in-depth expert on that particular protocol, but that is how it seems in the logs of the ASA.)  Therefore, the ACL had to be quite permissive to include dhcprelay information.  As it now includes everything, the problem went away entirely, and dhcprelay now works perfectly.

There was also a problem at one point that the ASA constructed the IKE/isakmp/Phase1 tunnel on the wrong interface, making the tunnel work for management or ordinary traffic, but not both.  Since everything now is controlled by one ACL and one crypto map, accepted on any interface in any direction, and I also made sure that IKE/isakmp/Phase1 is enabled on only the outside interface, that problem is also gone.  

Some people may think split tunnelling is the way to go, but I think I disagree.  CheckPoint firewalls have no good way of setting that up, if at all possible.  

I am aware that this probably is _not_ a sufficient solution for everyone with this kind of setup, as they probably want the ASA to secure a bit more than I have done.  However, it may provide a starting point.  I will most likely try making the opening a little smaller in time, but for now, it is enough.

As I have been working on this problem for about 100 hours total now, without finding any good explanations to what I did wrong, I hope this helps a few people out there.  Thanks to the CCIE in Bodø, Norway who helped me realize where the problem was.  I am certainly going to consider taking some Cisco classes after this.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial