12-29-2010 07:08 AM - edited 03-11-2019 12:28 PM
What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.
Remote Host -> Router -> Internet -> Asa ->Local Host
remote router has crypto acl , Asa has crypto acl and interface acl.
If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.
Appreciate if this can be helped with.
Thanks,
Solved! Go to Solution.
12-29-2010 07:59 AM
HI,
The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
The following image should give you an idea of the exact sequence of operations:
The crypto ACL will be hit immediately before phase 8(Egress Interface).
Regards,
Atri.
12-29-2010 07:50 AM
Inside interface acl, nat 0 acl on the ASA and then the cypto acl on the ASA.
-KS
12-29-2010 07:59 AM
HI,
The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
The following image should give you an idea of the exact sequence of operations:
The crypto ACL will be hit immediately before phase 8(Egress Interface).
Regards,
Atri.
12-29-2010 08:42 AM
if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.
below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.
asp capture shows this drop also.
access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)
any valuable suggestions for it?
thanks.
12-29-2010 09:30 AM
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224
10.52.151.81 is not covered in 10.52.0.0 255.255.255.224
http://www.subnet-calculator.com/
-KS
12-29-2010 06:20 PM
I am sorry . it was written wrongly.
acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port
access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)
it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.
thanks for your help.
12-29-2010 07:35 PM
need the following output:
1. sh run nst
2. sh route
3. sh run access-g
4. sh access-l
5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18
6. enable debug level logging and post that as well
conf t
logging on
logging buffered 7
exit
sh logg | i 172.16.100.50
-KS
12-30-2010 10:21 PM
Thanks KS & all, this was resolved.
It was found to be an ip addressing problem with server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: