Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
8
Replies

Site to site VPN ASA2ASA funny crypto ACL behaviour

Go to solution
jordisuste
Level 1
Level 1

‎09-01-2010 02:11 AM

Hi,

I am running a site to site VPN between two ASAs. It is working but it shouldn't be working, in my opinion there is a bug. The thing is that when I define the traffic to be encrypted in one ACL, this traffic is denied, and the tunnel doen't work. If I remove fromthe ACL the entries I am really interested in the encryption, it works....

So, for example.

I stablish a tunnel between the two ASAs and specify

access-list VPN extended permit ip host 172.16.0.60 host 172.20.24.60

crypto map colt_map 20 match address VPN

crypto map test_map 20 set peer 1.1.1.1
crypto map test_map 20 set transform-set TEST
crypto map test_map 20 set security-association lifetime seconds 3600
crypto map test_map 20 set security-association lifetime kilobytes 4608000

When I have this, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:

access-list VPN extended deny ip host 172.16.0.60 host 172.20.24.60

access-list VPN extended permit ip host 172.16.0.59 host 172.20.24.59

Then I have communication between 172.16.0.60 host 172.20.24.60 but not between 172.16.0.59 host 172.20.24.59.

It looks very funny to me. I am wondering if someone had this behaviour before or could explain it?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jordisuste

‎09-02-2010 07:38 AM

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt

If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).

A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.

Federico.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-01-2010 07:49 AM

Hi,

It looks very weird, but by any chance the ACL VPN is the same ACL used for NAT on this ASA?

If the ACL VPN is for NAT it makes sense that you excempt from NAT the traffic between both IPs.

Please make sure that the NAT ACL and VPN ACL are not both access-list VPN

Federico.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎09-01-2010 07:53 AM

Hey,

My thought is that there is something conflicting in the configuration that is leading to this behavior. Can you send the current config of your ASA for us to have a look?

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
jordisuste
Level 1
Level 1
In response to praprama

‎09-02-2010 12:49 AM

Hi,

Config attached (I changed outside addresses, no worries about if there is any mistmatch with routing, that is ok..)

Thanks!!

71459-ASA Config.txt.zip
0 Helpful

Go to solution
jordisuste
Level 1
Level 1
In response to jordisuste

‎09-02-2010 07:03 AM

Do you know why ACLs for the encrypted tunnel have to be for IP traffic rather

for TCP for example?

The configuration I was talking about it is about that. When I enable the ACL only tcp traffic to specific ports, it stops working (even if on the other side it is configured the same).

Any BIG reason for this?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jordisuste

‎09-02-2010 07:17 AM

Crypto ACLs are for IPsec so they should protect IP (should be defined as IP protocol) using either permit or deny statements.

If you don't want to communicate the entire IP protocol, but instead just TCP/UDP ports, then you can filter the VPN traffic (but still the crypto ACLs should be either permit/deny IP).

Another example for crypto ACLs is that the ''any'' keyword is discourage. This is because all inbound packets that lack IPsec protection are silently dropped, including packets for routing protocols, Network Time Protocol (NTP), echo, echo response, and so on...

So, Crypto ACLs are not regular ACLs, are access-lists used for IPsec to define IP traffic that is going to be either sent or not sent through an IPsec tunnel.

Federico.

0 Helpful

Go to solution
jordisuste
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-02-2010 07:23 AM

So, to permit or deny specific traffic (TCP/UDP), an ACL to the interface with this specific traffic (denied or allowed) should be added right?

I also saw, it is possible with "group-policy" command; where you add in the specific ACL the tcp port to that you want or not to deny/allow and then in the von group add the group policiy where the ACL is added.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to jordisuste

‎09-02-2010 07:38 AM

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt

If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).

A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.

Federico.

0 Helpful

Go to solution
jordisuste
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-02-2010 07:50 AM

Great stuff Federico. Thanks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents