access-list and vpn tunnel

Unanswered Question
Apr 14th, 2007
User Badges:

I have a 515 running ASA 7.2 software which is configured as a remote access vpn, site to site tunnel, and is a firewall between hosts on the inside and the Internet. VPN was working fine until I placed an ACL on the inside interface. I was always under the impression that vpn traffic was exempt from ACLs, but just to make sure I added an ACL that permitted hosts on the inside network to hosts on the remote access network. Inside network being 10.0.0.0/8 and the vpn remote access network being 192.168.8.0/24

my access list read

permit ip any 192.168.8.0 255.255.255.0

and was getting hits. Now though I've been having problems with remote access clients being able to use certain protocols and apps. They are able to establish the tunnel, but when trying to make a connection to say remote desktop, they temporarily make the connection but then get the error

"because of an error in data encryption, your session will end." I've removed the ACL, but the behavior persists. No other changes have been made, I've rebooted the firewall and my Internet router. The same behavior is apparent on the site to site tunnel as well. I enabled some debugging on crypto, but nothing really looks wrong with the connections being made, only the traffic being sent over the tunnels. Anyone have any ideas?


thank you,


Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
WILLIAM STEGMAN Sat, 04/14/2007 - 13:32
User Badges:

it turned out to be a service policy rule was causing the problem, but could someone clarify the ACL and vpn question? That is, if I have an acl on the inside interface, do I need to account for VPN traffic, or is all vpn traffic, tunnels included, exempt from acl inspection?


thanks

8c-stone Mon, 01/28/2008 - 06:08
User Badges:

Hi mate,


Unfortunately I dont know the answer to your query, but am desperately trying to find out...I have some un-explained VPN behaviour, which I'm attributing the the ACLs currently, but the ACLs on the outside interface are not allowing IPSec, yet the tunel is established, and there are no hits against the inside ACLs, so it seems as though the Crypto ACLs take precedence over the interface ACLs...but I would like confirmation...so please post a reply if you were able to find out....?

WILLIAM STEGMAN Mon, 01/28/2008 - 06:47
User Badges:

All my practical testing and experience led me to the conclusion that the sysopt connection command doesn't exempt the vpn traffic from acls I had in place on my inside interface. In other words, I needed to account for the vpn subnet when configuring my inside access list, otherwise the inside hosts were unable to communicate return traffic to those vpn clients initiating traffic.


pjhenriqs Mon, 01/28/2008 - 06:56
User Badges:

I was not suggesting the inside interface has anything to do with it. The bypass is done on the outside access list because of the way the firewall works with the security level.


The traffic from the inside to the outside is allowed anyway (unless your rules don't specify it), so it doesn't need any ACL and you need to bypass the IPSEC on the outside ACL.

pjhenriqs Mon, 01/28/2008 - 06:15
User Badges:

Hi there,


A basic question, are you allowing the IPSEC to bypass the access lists?


hostname(config)# sysopt connection permit-ipsec


Do you have this command?


I believe this would be the only reason that would make your tunnel be established if there is nothing on your outside ACL's.


HTH,

Paulo

Actions

This Discussion