We currently have a site-to-site VPN in tunnel mode running between our corporate network and our DR site to provide secure replication to our DR site. I am making some firewall changes this weekend that will place a IOS Zone-Based FW between the 2 sites (To provide 2 firewalls for the corporate site - creating a DMZ in the middle).
The Corporate site and the DR site are all within our Autonomous System, so there is no NAT invovled, as all the routes are private. I have a VPN to provide extra protection at each site, because they are both accessible via the Internet (I wanted to keep the ACL small on each ASA's outside interface) Anyway, to my question.
I am implementing a zone-based firewall on the edge router to provide additional protection. On the ACL for the zone-pair between my corporate and DR site, if I switch the VPN to transport mode, should these ACE's work?
Corporate ASA = 18.104.22.168
Corporate Net = 10.10.10.0/24
DR ASA = 22.214.171.124
DR Net = 126.96.36.199/24
permit esp 10.10.10.0 0.0.0.255 188.8.131.52 0.0.0.255
permit udp host 184.108.40.206 host 220.127.116.11 eq isakmp
permit esp 18.104.22.168 0.0.0.255 10.10.10.0 0.0.0.255
permit udp host 22.214.171.124 host 126.96.36.199 eq isakmp
I'm pretty sure this is correct; however, I wanted a little re-assurance before I made these changes Saturday.
This link describes IPSec features as a protocol, transport and tunnel mode being of those features, what I mean is that the ASA as a Cisco solution does not support Transport mode for Lan to Lan tunnels.
Now sinc eyou made me hesitate on my answer, I did a quick test connecting 2 ASA's back to back and setting a lan to lan tunnel using transport mode, the tunnel came up fine yet traffic did not go through, reason? the ASA was dropping it due to the fact that the SA and classification of the secure traffic should be from peer to peer (as normal tunnel mode works) in our case the ASA received an ESP packet from the internal network of the remote ASA which does not match the classification therefore it is being dropped.
ESP request discarded from 188.8.131.52 to outside:10.1.1.2
Deny inbound protocol 50 src outside:184.108.40.206 dst identity:10.1.1.2
This message shows after configuring some nat and acl rules to see if it accepts traffic:
IPSEC: Received a non-IPSec packet (protocol= ESP) from 220.127.116.11 to 10.1.1.2.
So as you can see it is more like a limitation of the platform or something.
Now the question I have for you why the need of transport mode?