09-01-2010 02:11 AM
Hi,
I am running a site to site VPN between two ASAs. It is working but it shouldn't be working, in my opinion there is a bug. The thing is that when I define the traffic to be encrypted in one ACL, this traffic is denied, and the tunnel doen't work. If I remove fromthe ACL the entries I am really interested in the encryption, it works....
So, for example.
I stablish a tunnel between the two ASAs and specify
access-list VPN extended permit ip host 172.16.0.60 host 172.20.24.60
crypto map colt_map 20 match address VPN
crypto map test_map 20 set peer 1.1.1.1
crypto map test_map 20 set transform-set TEST
crypto map test_map 20 set security-association lifetime seconds 3600
crypto map test_map 20 set security-association lifetime kilobytes 4608000
When I have this, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:
access-list VPN extended deny ip host 172.16.0.60 host 172.20.24.60
access-list VPN extended permit ip host 172.16.0.59 host 172.20.24.59
Then I have communication between 172.16.0.60 host 172.20.24.60 but not between 172.16.0.59 host 172.20.24.59.
It looks very funny to me. I am wondering if someone had this behaviour before or could explain it?
Thanks in advance.
Solved! Go to Solution.
09-02-2010 07:38 AM
Yes.
In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn
You can see if that command is enabled by doing: sh run all sysopt
If you remove that command: no sysopt connection permit-vpn
then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).
A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.
Federico.
09-01-2010 07:49 AM
Hi,
It looks very weird, but by any chance the ACL VPN is the same ACL used for NAT on this ASA?
If the ACL VPN is for NAT it makes sense that you excempt from NAT the traffic between both IPs.
Please make sure that the NAT ACL and VPN ACL are not both access-list VPN
Federico.
09-01-2010 07:53 AM
Hey,
My thought is that there is something conflicting in the configuration that is leading to this behavior. Can you send the current config of your ASA for us to have a look?
Thanks and Regards,
Prapanch
09-02-2010 12:49 AM
09-02-2010 07:03 AM
Do you know why ACLs for the encrypted tunnel have to be for IP traffic rather
for TCP for example?
The configuration I was talking about it is about that. When I enable the ACL only tcp traffic to specific ports, it stops working (even if on the other side it is configured the same).
Any BIG reason for this?
09-02-2010 07:17 AM
Crypto ACLs are for IPsec so they should protect IP (should be defined as IP protocol) using either permit or deny statements.
If you don't want to communicate the entire IP protocol, but instead just TCP/UDP ports, then you can filter the VPN traffic (but still the crypto ACLs should be either permit/deny IP).
Another example for crypto ACLs is that the ''any'' keyword is discourage. This is because all inbound packets that lack IPsec protection are silently dropped, including packets for routing protocols, Network Time Protocol (NTP), echo, echo response, and so on...
So, Crypto ACLs are not regular ACLs, are access-lists used for IPsec to define IP traffic that is going to be either sent or not sent through an IPsec tunnel.
Federico.
09-02-2010 07:23 AM
So, to permit or deny specific traffic (TCP/UDP), an ACL to the interface with this specific traffic (denied or allowed) should be added right?
I also saw, it is possible with "group-policy" command; where you add in the specific ACL the tcp port to that you want or not to deny/allow and then in the von group add the group policiy where the ACL is added.
09-02-2010 07:38 AM
Yes.
In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn
You can see if that command is enabled by doing: sh run all sysopt
If you remove that command: no sysopt connection permit-vpn
then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).
A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.
Federico.
09-02-2010 07:50 AM
Great stuff Federico. Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: