egress rule applied BEFORE traffic is encrypted?

Unanswered Question
Aug 14th, 2008

ASA5505-ROFL-(config)# packet-tracer input ROFLside icmp 172.17.171.2 8$


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 VPNside


Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ROFL_allow in interface ROFLside

access-list ROFL_allow extended permit icmp 172.17.171.0 255.255.255.0 10.123.0.0 255.255.0.0

Additional Information:


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:

Static translate 172.17.171.2/0 to 172.17.171.2/0 using netmask 255.255.255.255


Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:


Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:


Phase: 9

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 10

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group VPN_deny out interface VPNside

access-list VPN_deny extended deny ip 172.17.171.0 255.255.255.0 any

Additional Information:


Result:

input-interface: ROFLside

input-status: up

input-line-status: up

output-interface: VPNside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


Shouldnt my 172.17.171.0 traffic be encrypted inside an ipsec packet with the VPNside ip address (172.17.168.0) in its headers, thus allowing it to get past my egress rule (VPN_deny)?????

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 08/16/2008 - 23:11

No the ASA still checks the VPN interesting traffic even at the outbound/egress interface. You will find that packets will be decrypted but not encrypted with this setup.


Regards


Farrukh

slug420 Sun, 08/17/2008 - 09:47

Why does it show phase 8 as encrypting traffic? Does the firewall decrypt the traffic to pass the egress ACL and then re-encrypt?

Farrukh Haroon Sun, 08/17/2008 - 11:54

Try to run a packet-tracer after allowing the traffic in the ACL, maybe there is another step after the ACL check for encryption (besides step 8 which is not so clear).


Regards


Farrukh

Actions

This Discussion