tunnel drop

Answered Question
Oct 25th, 2010
User Badges:

we have below list for an ipsec tunnel


access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit tcp host 192.168.200.110 eq 6600  172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit udp host 192.168.300.130 172.16.100.0 255.255.255.248 eq domain



the other remote end of ipsec , when tries to even ping or trace to 192.168.200.110 or 192.168.300.130 , the vpn connection goes down.


why does it do so.

TIA.

Correct Answer by Jitendriya Athavale about 6 years 9 months ago

so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity


access-list 195 extended permit icmp host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248



hope this helps


let me know if you have more questions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
Jitendriya Athavale Mon, 10/25/2010 - 19:37
User Badges:
  • Cisco Employee,

hi


please brief u smore about what the 2 devices in question are and what kind of vpn is setup


also what exactly do you mean when you say that ping brings down the tunnel (is it that ping brings the tunnel down or the tunnel is not coming up at all )

suthomas1 Mon, 10/25/2010 - 19:52
User Badges:

sorry for omitting those initially.

our end is an ASA and other end has cisco router.

Ipsec tunnel comes up without any problem at first and if ping is done from 172.16.100.2 or so ip to 192.168.100.0 /24 it works well.

however, whenever the remote end 172.16.100.0 255.255.255.248 pings or does traceroute to 192.168.200.110 or 192.168.200.130 , the tunnel goes down.


hope this information is much clearer.


thanks.

Jitendriya Athavale Mon, 10/25/2010 - 20:20
User Badges:
  • Cisco Employee,

so if i understand you right you say the tunnel gpoes down bcoz you dont see ping replies coming in


if that is the reason assuming access-list 195 is the acl to define vpn traffic or crypto traffic, as you can see you are allowing only spefic ports through vpn for that ip's that is hwy you are not able to ping if you want to allow everything between the 2 hosts use the following on crypto acl on both ends


access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit ip host 192.168.300.130 172.16.100.0 255.255.255.248



the change has been highlighted in bold

suthomas1 Mon, 10/25/2010 - 20:37
User Badges:

does that mean if we try to initiate connection to traffic not covered under define acl 195 , the tunnel will go down.

in that case how do we nail down the traffic to only the required tcp or udp ones rather than ip ..



thanks.

Jitendriya Athavale Mon, 10/25/2010 - 20:53
User Badges:
  • Cisco Employee,

the tunnel does not go down, the traffic does not go through the tunnel


so what ever tarffic is defined in that crypto acl only goes through the tunnel


can you please paste the output of


show run crypto -> on the asa

suthomas1 Mon, 10/25/2010 - 21:11
User Badges:

thanks,

i have masked some values.


crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto map kepp 60 match address 195
crypto map kepp 60 set peer y.y.y.y
crypto map kepp 60 set transform-set vpn
crypto map kepp 60 set security-association lifetime seconds 28800
crypto map kepp 60 set security-association lifetime kilobytes 4608000
crypto map kepp interface External
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn VPNASABU.abc.com
subject-name CN=VPNASABU
serial-number
crl configure
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


Thank You

Jitendriya Athavale Mon, 10/25/2010 - 21:23
User Badges:
  • Cisco Employee,

yeah so as i said before


make cahnegs to that acl on both ends and pings will start working

Correct Answer
Jitendriya Athavale Mon, 10/25/2010 - 21:28
User Badges:
  • Cisco Employee,

so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity


access-list 195 extended permit icmp host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248



hope this helps


let me know if you have more questions

Daniela Herrera Tue, 10/26/2010 - 15:18
User Badges:

Hello!


As far as I know, the best practices are to select only "ip" for the access-list applied on the crypto map.


If you want to limit ports you can do it on your inside access-group ACLs for both ends or use a VPN-FIlter on the ASA.Here's a sample config for the VPN-Filters on the ASA:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml



In any case.. if you are willing to test by limiting the protocol on the crypto map access-list, both ends most have exactly the same access-list (mirrored) for the VPN to work. I understand this makes the encryption process harder for the appliance since more Security Associations are created when specific ports are selected instead of when only IP is selected.


Regards,

Actions

This Discussion