Solved

VPN cisco asa 5505 Deny inbound protocol 50

Posted on 2012-03-14
8
2,319 Views
Last Modified: 2012-08-13
We have a cisco asa 5505 at a customer site. It has a VPN tunnel to another site and it had been working fine. After they lost their internet connection (they might have restarted the firewall as well) they cannot get to the second site. The tunnel goes up succesfully, but any time we try to communicate to the other site IP (remote desktop, files, ping, etc) the asdm syslog shows "deny inbound protocol 50 src outside:148.122.163.26  dst outside:193.213.14.142"

our inside ip: 192.168.8.0
our outside: 193.213.14.142
other site ip: 192.168.200.0
their outtside: 148.122.163.26

Result of the command: "sh conf"

: Saved
: Written by enable_15 at 03:52:37.173 UTC Wed Mar 14 2012
!
ASA Version 7.2(3)
!
hostname ....
domain-name .....com
enable password ....¨¨
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group hatten
 ip address pppoe
 ospf cost 10
!
interface Vlan5
 no forward interface Vlan1
 nameif ungdom
 security-level 50
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 5
!
interface Ethernet0/7
 switchport access vlan 5
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ....
access-list acl_out extended permit ip 192.168.8.0 255.255.255.0 any
access-list acl_out extended permit ip 192.168.200.0 255.255.255.0 any
access-list outside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list outside_access_in extended permit ip 192.168.200.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.200.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu ungdom 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface ungdom
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ungdom) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.1.64 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.8.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 148.122.163.26
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group hatten request dialout pppoe
vpdn group hatten localname ....
vpdn group hatten ppp authentication pap
vpdn username ... .password .... store-local
dhcpd auto_config outside
!
dhcpd address 192.168.8.2-192.168.8.254 inside
dhcpd enable inside
!
dhcpd address 10.0.0.10-10.0.0.20 ungdom
dhcpd dns 208.67.222.222 208.67.220.220 interface ungdom
dhcpd enable ungdom
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group 148.122.163.26 type ipsec-l2l
tunnel-group 148.122.163.26 ipsec-attributes
 pre-shared-key *
prompt hostname context
0
Comment
Question by:techagikt
  • 5
  • 3
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37720236
Well the easy answer would be to say: add this to your ACL
access-list outside_access_in permit esp any host 193.213.14.142 and see if that works.

But as you mentioned, it worked before..... It almost looks like that tunnel wants to go through the ASA. If you do a sh ip, do you indeed see 193.213.14.142 as the outside ip?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37720245
Oh, I think I see. Try adding: crypto isakmp nat-traversal 20
0
 

Author Comment

by:techagikt
ID: 37728953
Thank you for the reply, but it is still not working.

* tried to add Any any for outside_access_in and does not help
* tried to do sh ip and it does show 193.213.14.142 as the outside ip
* sent crypto isakmp nat-traversal 20, saved and reloaded. it does not seem to have had an effect (except that it shows up in the config when sh conf is sent).

The VPN tunnel is up, but I still get the "deny inbound protocol" message.
0
 

Author Comment

by:techagikt
ID: 37729009
Result of the command: "sh conf"

: Saved
: Written by enable_15 at 03:17:28.122 UTC Fri Mar 16 2012
!
ASA Version 7.2(3)
!
hostname ,,,
domain-name ,,,
enable password,,,,encrypted
names
name 192.168.8.0 Hatten
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group hatten
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan5
 no forward interface Vlan1
 nameif ungdom
 security-level 50
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 5
!
interface Ethernet0/7
 switchport access vlan 5
!
passwd ,,,, encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ,,,,,
access-list acl_out extended permit ip Hatten 255.255.255.0 any
access-list acl_out extended permit ip 192.168.200.0 255.255.255.0 any
access-list outside_access_in extended permit ip Hatten 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip Hatten 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Hatten 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip Hatten 255.255.255.0 any
access-list inside_1_cryptomap extended permit ip Hatten 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_cryptomap extended permit ip Hatten 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip Hatten 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu ungdom 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface ungdom
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ungdom) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.1.64 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http Hatten 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 148.122.163.26
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 148.122.163.26
crypto map outside_map0 1 set transform-set ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet Hatten 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group hatten request dialout pppoe
vpdn group hatten localname .............
vpdn group hatten ppp authentication pap
vpdn username ...........password..........store-local
dhcpd auto_config outside
!
dhcpd address 192.168.8.2-192.168.8.254 inside
dhcpd enable inside
!
dhcpd address 10.0.0.10-10.0.0.20 ungdom
dhcpd dns 208.67.222.222 208.67.220.220 interface ungdom
dhcpd enable ungdom
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock value 148.122.163.26
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions none
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp none
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group 148.122.163.26 type ipsec-l2l
tunnel-group 148.122.163.26 ipsec-attributes
 pre-shared-key *
prompt hostname context
no compression svc http-comp
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729183
You did try access-list outside_access_in permit esp any host 193.213.14.142

So ESP, not IP.
0
 

Author Comment

by:techagikt
ID: 37736599
Yes, and I still recieve:

3      Mar 18 2012      23:02:52      106010                   Deny inbound protocol 50 src outside:148.122.163.26 dst outside:Outside
0
 

Accepted Solution

by:
techagikt earned 0 total points
ID: 37859425
ended up restoring to factory settings and setting it up again.
0
 

Author Closing Comment

by:techagikt
ID: 37877405
ended up restoring to factory settings and setting it up again.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now