12-29-2010 07:08 AM - edited 03-11-2019 12:28 PM
What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.
Remote Host -> Router -> Internet -> Asa ->Local Host
remote router has crypto acl , Asa has crypto acl and interface acl.
If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.
Appreciate if this can be helped with.
Thanks,
Solved! Go to Solution.
12-29-2010 07:59 AM
HI,
The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
The following image should give you an idea of the exact sequence of operations:
The crypto ACL will be hit immediately before phase 8(Egress Interface).
Regards,
Atri.
12-29-2010 07:50 AM
Inside interface acl, nat 0 acl on the ASA and then the cypto acl on the ASA.
-KS
12-29-2010 07:59 AM
HI,
The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
The following image should give you an idea of the exact sequence of operations:
The crypto ACL will be hit immediately before phase 8(Egress Interface).
Regards,
Atri.
12-29-2010 08:42 AM
if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.
below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.
asp capture shows this drop also.
access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)
any valuable suggestions for it?
thanks.
12-29-2010 09:30 AM
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224
10.52.151.81 is not covered in 10.52.0.0 255.255.255.224
http://www.subnet-calculator.com/
-KS
12-29-2010 06:20 PM
I am sorry . it was written wrongly.
acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port
access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)
it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.
thanks for your help.
12-29-2010 07:35 PM
need the following output:
1. sh run nst
2. sh route
3. sh run access-g
4. sh access-l
5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18
6. enable debug level logging and post that as well
conf t
logging on
logging buffered 7
exit
sh logg | i 172.16.100.50
-KS
12-30-2010 10:21 PM
Thanks KS & all, this was resolved.
It was found to be an ip addressing problem with server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide