Site to site VPN ASA2ASA funny crypto ACL behaviour

Answered Question
Sep 1st, 2010
User Badges:

Hi,


I am running a site to site VPN between two ASAs. It is working but it shouldn't be working, in my opinion there is a bug. The thing is that when I define the traffic to be encrypted in one ACL, this traffic is denied, and the tunnel doen't work. If I remove fromthe ACL the entries I am really interested in the encryption, it works....


So, for example.


I stablish a tunnel between the two ASAs and specify


access-list VPN extended permit ip host 172.16.0.60 host 172.20.24.60


crypto map colt_map 20 match address VPN

crypto map test_map 20 set peer 1.1.1.1
crypto map test_map 20 set transform-set TEST
crypto map test_map 20 set security-association lifetime seconds 3600
crypto map test_map 20 set security-association lifetime kilobytes 4608000


When I have this, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:


access-list VPN extended deny ip host 172.16.0.60 host 172.20.24.60

access-list VPN extended permit ip host 172.16.0.59 host 172.20.24.59


Then I have communication between 172.16.0.60 host 172.20.24.60 but not between 172.16.0.59 host 172.20.24.59.


It looks very funny to me. I am wondering if someone had this behaviour before or could explain it?


Thanks in advance.

Correct Answer by Federico Coto F... about 6 years 7 months ago

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt


If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).


A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Wed, 09/01/2010 - 07:49
User Badges:
  • Green, 3000 points or more

Hi,


It looks very weird, but by any chance the ACL VPN is the same ACL used for NAT on this ASA?

If the ACL VPN is for NAT it makes sense that you excempt from NAT the traffic between both IPs.


Please make sure that the NAT ACL and VPN ACL are not both access-list VPN


Federico.

praprama Wed, 09/01/2010 - 07:53
User Badges:
  • Cisco Employee,

Hey,


My thought is that there is something conflicting in the configuration that is leading to this behavior. Can you send the current config of your ASA for us to have a look?


Thanks and Regards,

Prapanch

jordisuste Thu, 09/02/2010 - 07:03
User Badges:

Do you know why ACLs for the encrypted tunnel have to be for IP traffic rather

for TCP for example?


The configuration I was talking about it is about that. When I enable the ACL only tcp traffic to specific ports, it stops working (even if on the other side it is configured the same).


Any BIG reason for this?

Federico Coto F... Thu, 09/02/2010 - 07:17
User Badges:
  • Green, 3000 points or more

Crypto ACLs are for IPsec so they should protect IP (should be defined as IP protocol) using either permit or deny statements.

If you don't want to communicate the entire IP protocol, but instead just TCP/UDP ports, then you can filter the VPN traffic (but still the crypto ACLs should be either permit/deny IP).


Another example for crypto ACLs is that the ''any'' keyword is discourage. This is because all inbound packets that lack IPsec protection are silently dropped, including packets for routing protocols, Network Time Protocol (NTP), echo, echo response, and so on...


So, Crypto ACLs are not regular ACLs, are access-lists used for IPsec to define IP traffic that is going to be either sent or not sent through an IPsec tunnel.


Federico.

jordisuste Thu, 09/02/2010 - 07:23
User Badges:

So, to permit or deny specific traffic (TCP/UDP), an ACL to the interface with this specific traffic (denied or allowed) should be added right?


I also saw, it is possible with "group-policy" command; where you add in the specific ACL the tcp port to that you want or not to deny/allow and then in the von group add the group policiy where the ACL is added.

Correct Answer
Federico Coto F... Thu, 09/02/2010 - 07:38
User Badges:
  • Green, 3000 points or more

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt


If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).


A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.


Federico.

Actions

This Discussion