[Openswan Users] Looking for some cisco help: IPsec protoport= and NAT

Paul Wouters paul at xelerance.com
Wed Nov 10 21:39:40 EST 2010 

Hi,

I have a Cisco ASA 5505 <-> openswan connection that uses
leftprotoport=6/80 and leftsubnet=0.0.0.0/0 to send web traffic over the
tunnel. All non-web traffic is supposed to go out without encryption,
and get NAT'ed.

However, when specifying this on the Cisco, it sends out non-port80 traffic
without NAT. Eg the traffic is not going through IPsec nor NAT, and then
dropped at the nexthop for having an invalid source ip.

I am not a very experienced Cisco person, so I was hoping if someone here
could help. What I think is the relevant part of the config (created using
the webgui ADSM sotware, so I don't fully understand it) is:

object-group service http tcp
  description http
  port-object eq www
object-group service DM_INLINE_TCP_1 tcp
  group-object http
  port-object eq https
object-group service DM_INLINE_TCP_2 tcp
  group-object http
  port-object eq https
object-group service DM_INLINE_TCP_3 tcp
  group-object http
  port-object eq https
access-list inside_access_in remark allow all
access-list inside_access_in extended permit ip any any 
access-list outside_access_in remark all
access-list outside_access_in extended permit ip any any 
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 any 
access-list outside_cryptomap extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.10.157.65 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group5
crypto map outside_map1 1 set peer 76.10.157.74 
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 3

group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec 
tunnel-group 76.10.157.74 type ipsec-l2l
tunnel-group 76.10.157.74 ipsec-attributes
  pre-shared-key *


And the corresponding ipsec.conf part is:

conn cisco80
 	also=cisco-base
 	leftprotoport=6/80
conn cisco443
 	also=cisco-base
 	leftprotoport=6/443
conn cisco-base
 	left=76.10.157.74
 	right=76.10.157.76
 	authby=secret
 	auto=add
 	rekey=no
 	leftsubnet=0.0.0.0/0
 	rightsubnet=192.168.77.0/24
 	rightprotoport=6/%any

Again, port 80 and port 443 traffic works fine, and triggers an IPsec connection that works,
but any other port results in traffic send to "outside" without getting NAT'ed.

Paul

More information about the Users mailing list