×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ipsec vpn - not splitting traffic

Unanswered Question
Jun 5th, 2014
User Badges:

I have an ipsec vpn and it is up and running. On the remote asa I have the on the acl for the crytomap the inside network and destination the remote private network. I have also created a service policy rule where web traffic will not go to this tunnel but straight to the internet. I still find though that all traffic is going through the tunnel. How can I start resolving this? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Marvin Rhoads Thu, 06/05/2014 - 14:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Most likely your ACL used by the cryptomap is incorrect. If the traffic is deemed "interesting" by the ACL, it will be encapsulated in IPsec and the service-policy will never see it. (Step 4 vs Step 6 of packet processing - reference)

Can you share the configuration of the problematic ASA?

Or at least run a packet-tracer and let's look at the output of how the ASA handles the flow and why:

packet-tracer input inside tcp <inside client address> 1025 8.8.8.8 80 detailed

tolinrome tolinrome Thu, 06/05/2014 - 15:01
User Badges:

Here's a config of the remote 5505, thanks.

 

: Saved
:
ASA Version 9.1(4) 
!
hostname 
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 description Access Point
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.25.40.200 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.50.50.35 255.255.255.0 
boot system disk0:/asa914-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.25.40.0_24
 subnet 10.25.40.0 255.255.255.0
object network 10.0.0.0
 subnet 10.0.0.0 255.0.0.0
object network 10.1.0.0
 subnet 10.1.0.0 255.255.0.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list inside_nat0_outbound extended permit ip 10.25.40.0 255.255.255.0 any 
access-list http-traffic extended permit tcp any any eq www inactive 
access-list outside_cryptomap extended permit ip 10.25.40.0 255.255.255.0 object 10.1.0.0 
access-list outside_cryptomap extended permit ip host 50.50.50.35 host 10.1.0.120 
access-list outside_cryptomap extended permit ip host 10.25.40.200 host 10.1.0.120 
access-list https-traffic extended permit tcp any any eq https inactive 
access-list inside_access_in_1 extended permit tcp 10.25.40.0 255.255.255.0 any object-group DM_INLINE_TCP_1 
access-list inside_access_in_1 extended permit ip any any 
access-list global_mpc_1 extended deny tcp any object 10.1.0.0 eq https 
access-list global_mpc_1 extended permit tcp any any eq https 
access-list global_mpc extended deny tcp any object 10.1.0.0 eq www 
access-list global_mpc extended permit tcp any any eq www 
!
scansafe general-options
 server primary fqdn 69.174.87.51 port 8080
 server backup fqdn 70.39.231.99 port 8080
 retry-count 5
 license encrypted
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 206.192.38.3 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.1.0.0 255.255.255.0 inside
http 10.1.11.0 255.255.255.0 inside
http 10.25.40.0 255.255.255.0 inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 50.50.50.250
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpnclient server 50.50.50.250
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup L2L password
vpnclient username L2LVPN password
dhcpd auto_config outside
!
dhcprelay server 10.1.0.120 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside 10.1.0.200 ASA5505_run.txt
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
username L2LVPN password
tunnel-group 50.50.50.250type ipsec-l2l
tunnel-group 50.50.50.250ipsec-attributes
 ikev1 pre-shared-key
 ikev2 remote-authentication pre-shared-key
 ikev2 local-authentication pre-shared-key
!
class-map cws-http-class
 match access-list global_mpc
class-map http-class
 match access-list http-traffic
class-map cws-https-class
 match access-list global_mpc_1
class-map https-class
 match access-list https-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect scansafe https-pmap
 parameters
  default group httpstraffic
  https
policy-map type inspect scansafe cws_https-pmap
 parameters
  default group httpstraffic
  https
policy-map type inspect scansafe cws_http_pmap
 parameters
  default group httptraffic
  http
policy-map global_policy
 description cws-http-class
 class cws-https-class
  inspect scansafe cws_https-pmap fail-close 
 class cws-http-class
  inspect scansafe cws_http_pmap fail-close 
 class inspection_default
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect icmp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
policy-map type inspect scansafe http-pmap
 parameters
  default group httptraffic
  http
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-721.bin
no asdm history enable

Marvin Rhoads Thu, 06/05/2014 - 22:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

That looks more or less OK.

How about the packet-tracer output?

packet-tracer input inside tcp <inside client address from 10.25.40.0 subnet> 1025 8.8.8.8 80 detailed

 

tolinrome tolinrome Fri, 06/06/2014 - 05:17
User Badges:

packet tracer shows it going through the vpn. Maybe something on the other end of the asa?

Marius Gunnerud Fri, 06/06/2014 - 05:56
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

How are you monitoring the traffic and identifying it is going over the VPN and not out to the internet?

Could you set up a packet capture on the inside interface and outside interface. In ASDM go to Wizards > Packet Capture.

If traffic is really going over the VPN when it is not supposed to you should not see any traffic in the packet capture on the outside interface.

--

Please remember to select a correct answer and rate helpful posts

tolinrome tolinrome Fri, 06/06/2014 - 19:12
User Badges:

Here's the output of the packet tracer:

 

ASA5505(config)# packet-tracer input inside tcp 10.25.40.101 1025 8.8.8.8$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd91cd538, priority=1, domain=permit, deny=false
        hits=1489754, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit tcp 10.25.40.0 255.255.255.0 any object-group DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd983dfe8, priority=13, domain=permit, deny=false
        hits=9517, user_data=0xd745b390, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=10.25.40.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd9228e20, priority=1, domain=nat-per-session, deny=true
        hits=161371, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd91d2fc8, priority=0, domain=inspect-ip-options, deny=true
        hits=91023, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd9766cd0, priority=70, domain=inspect-scansafe, deny=false
        hits=2134, user_data=0xd981e618, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd9201248, priority=0, domain=host-limit, deny=false
        hits=86435, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd97e9b90, priority=70, domain=encrypt, deny=false
        hits=448, user_data=0x31eadc, cs_id=0xd984d768, reverse, flags=0x0, protocol=0
        src ip/id=10.25.40.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd9805520, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=448, user_data=0x320edc, cs_id=0xd984d768, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.25.40.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd9228e20, priority=1, domain=nat-per-session, deny=true
        hits=161373, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd91fcc70, priority=0, domain=inspect-ip-options, deny=true
        hits=177513, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 135803, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inline_tcp_mod
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_inline_tcp_mod
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ASA5505(config)#

Marius Gunnerud Sat, 06/07/2014 - 13:04
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Did you have a different ACL configured for the crypto map previously?

It is odd that it is not matching on the configured ACL.  If you look in the ASDM does the ACL match that which you see in the CLI?

Have you tried removing the command crypto map outside_map 1 match address outside_cryptomap and then re adding it again?

--

Please remember to select a correct answer and rate helpful posts

MANI .P Mon, 06/09/2014 - 03:39
User Badges:

@warrenroseny : One more option is available . install the wireshark  capture the packet meanwhile open the browser ... easy way to identify !!!

Actions

This Discussion