Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transparent Mode firewall denying ESP packets inbound

I configured a transparent firewall and found problems of not being able to ping devices reachable via the tunnel when forming a VPN connection from my laptop out to another firewall, while looking at the log view on the transparent firewall, I noticed that it said that it was denying ESP packets inbound on the outside interface. I wound up enabling ESP inbound on the outside to fix this, but would like to know if that is the nature of the transparent firewall. I thought that is should know how to handle the ESP packets, but it wasn't.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Transparent Mode firewall denying ESP packets inbound

Hello

You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following

"You must use an extended access list to allow Layer 3 traffic, such           as IP traffic, through the security appliance."

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.

Cheers.

Mike

Mike
6 REPLIES
Cisco Employee

Re: Transparent Mode firewall denying ESP packets inbound

Hello Allen,

Eventhough this firewall is on Transparent, security levels and all that stuff still apply. I will suggest you to place an ACL permitting the ESP  packets from outside to inside and try it again

Cheers.

Mike

Mike
New Member

Re: Transparent Mode firewall denying ESP packets inbound

MIke, thanks, that is exactly what I did to get this working. My question is, is this best practice? I can't seem to find any documentation regarding this, I thought the ASA would inspect the traffic coming from inside->outside (stateful) and I shuldn't need to alloq ESP in from the outside. I have always worked with routed mode on the ASA's so I just want to make sure I am configuring this correctly.

Thanks,

New Member

Re: Transparent Mode firewall denying ESP packets inbound

MIke, one other note, I enabled IPSEC pack inspection and it still didn't work.

inspect ipsec-pass-thru

To enable IPSec Pass Thru inspection, use the inspect ipsec-pass-thru command in class  map configuration mode. Class configuration mode is accessible from  policy map configuration mode. To remove the configuration, use the no form of this command.

inspect ipsec-pass-thru [map_name]

no inspect ipsec-pass-thru [map_name]

Syntax Description

map_name

(Optional) The name of the IPSec Pass Thru map.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The inspect ipsec-pass-thru command  enables or disables application inspection. IPSec Pass Through  application inspection provides convenient traversal of ESP (IP protocol  50) and/or AH (IP protocol 51) traffic associated with an IKE UDP port  500 connection. It avoids lengthy access list configuration to permit  ESP and AH traffic and also provides security using timeout and max  connections.

Use the IPSec Pass Through parameter map to identify a specific map to  use for defining the parameters for the inspection. Use the policy-map type inspect command  to access the parameters configuration, which lets you specify the  restrictions for ESP or AH traffic. You can set the per client max  connections and the idle timeout in parameters configuration.

Use class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more  interfaces. The parameter map defined is enabled when used with the inspect IPSec-pass-thru command.

NAT and non-NAT traffic is permitted. However, PAT is not supported.


Note In ASA 7.0, the inspect ipsec-pass-thru command  allowed only ESP traffic to pass through. To retain the same behavior  in later versions, a default map that permits ESP is created and  attached if the inspect ipsec-pass-thru command is specified without any arguments. This map can be seen in the output of the show running-config all command.


Examples

The following example shows how to use access lists to identify IKE  traffic, define an IPSec Pass Thru parameter map, define a policy, and  apply the policy to the outside interface:

hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
hostname(config)# policy-map inspection_policy
hostname(config-pmap)# class ipsecpassthru-traffic
hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
hostname(config)# service-policy inspection_policy interface outside

Cisco Employee

Re: Transparent Mode firewall denying ESP packets inbound

Hello

You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following

"You must use an extended access list to allow Layer 3 traffic, such           as IP traffic, through the security appliance."

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.

Cheers.

Mike

Mike
New Member

Re: Transparent Mode firewall denying ESP packets inbound

Thanks!!

Cisco Employee

Re: Transparent Mode firewall denying ESP packets inbound

Hey..

Thank you for rating...

Cheers.

Mike

Mike
596
Views
0
Helpful
6
Replies
CreatePlease to create content