I am running a site to site VPN between two ASAs. It is working but it shouldn't be working, in my opinion there is a bug. The thing is that when I define the traffic to be encrypted in one ACL, this traffic is denied, and the tunnel doen't work. If I remove fromthe ACL the entries I am really interested in the encryption, it works....
So, for example.
I stablish a tunnel between the two ASAs and specify
access-list VPN extended permit ip host 172.16.0.60 host 172.20.24.60
crypto map colt_map 20 match address VPN
crypto map test_map 20 set peer 184.108.40.206
crypto map test_map 20 set transform-set TEST
crypto map test_map 20 set security-association lifetime seconds 3600
crypto map test_map 20 set security-association lifetime kilobytes 4608000
When I have this, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:
access-list VPN extended deny ip host 172.16.0.60 host 172.20.24.60
access-list VPN extended permit ip host 172.16.0.59 host 172.20.24.59
Then I have communication between 172.16.0.60 host 172.20.24.60 but not between 172.16.0.59 host 172.20.24.59.
It looks very funny to me. I am wondering if someone had this behaviour before or could explain it?
Thanks in advance.
In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn
You can see if that command is enabled by doing: sh run all sysopt
If you remove that command: no sysopt connection permit-vpn
then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).
A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.