Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
4
Replies

lan 2 lan vpn tunnels

carl_townshend
Spotlight
Spotlight

‎11-10-2008 01:55 AM - edited ‎03-06-2019 02:23 AM

Hi all, can anyone tell me if stateful inspection still applies on vpn tunnels on my asa? and also when creating an access list for the site to site tunnel, how do I know which direction the access list is in?

Labels:
0 Helpful
4 Replies 4

satish_zanjurne
Level 4
Level 4

‎11-10-2008 06:55 AM

Hi,

1.I think it still applies , because the tunnel in encrypted connection between sites & hosts on both sides still needs to be statefully inspected to allows sessions between them

2.For site to site tunnel the access-list will define interesting traffic from this site to peer site , in outward direction.

HTH..rate if helpful..

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to satish_zanjurne

‎11-10-2008 07:55 AM

ok, thanks

regarding the access list, how would I configure the access list to be inbound from the peer to my site? I cannot see this option on the gui interface.

hope you can help

0 Helpful

jkeeffe
Level 2
Level 2
In response to carl_townshend

‎11-10-2008 10:57 AM

In the ASA documentation, it specifically states the when an ACL is applied to a VPN-filter, the first entry in the ACL always represents the remote end, regardless of whether the remote end is the source or destination of the traffic.

This caused me to hold off on deploying my ASA-5540s as a VPN head-end because of the difficulty in troubleshoot this weird way of doing ACLs would cause. You'd never know by looking at the ACL, what is the source or the destination of a particular connection.

Refer to this Cisco document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

I hear that the ASA code, as far as the VPN subsystem ins concerned, is being completely re-written and one of the changes will be NOT doing the ACL's this way. On all other Cisco devices, the first entry in an ACL refers to the source.

If I am wrong here, please someone correct me.

0 Helpful

elden
Level 1
Level 1
In response to jkeeffe

‎03-11-2009 09:26 PM

Interesting post.

We struggled with setting up 3 new L2L tunnels recently on an ASA5520 using vpn-filters and we've experienced the same. We banged our heads (and 3 TAC engineer's + their escalation) against the wall trying to understand the vpn-filter ACL logic flow.

We think we now understand the anti-logic of TCP connections, but are still puzzled at the workings of ICMP vpn-filters. If we are pinging from a host on our local network to a host on the far-end of the tunnel, one would think you would have to allow icmp "echo" from our network and icmp "echo-reply" returning from the far-end. The only way it worked was to allow both icmp "echo" and icmp "echo-reply" from the far-end to us in order for us to successfully ping.

Any update on your comment on the code re-write?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card