Solved: Re: Outside ACL not incrementing for permitted traffic via site-

monkeyboy · ‎11-29-2010

Hi all, we have many site-to-site IPSEC VPN's that are sending traffic to us successfully - most of this traffic is either FTP or SFTP.

There is no sysopt setup on the ASA firewall. Access-lists have been setup on outside interface of the ASA to permit these VPN connections for FTP & SFTP - however all of the counters are 0 when I do a 'show access-list internet-in' for either FTP or SFTP.

There are general IP any to FTP &SFTP access-list entries to the natted Internet-facing addresses of these FTP servers and these are incrementing but then there are some clients that use the internet for tranferring files.

I guess what I'm wondering is do ASA outside access-lists increment for traffic permitted by VPN? The access-list entries are for THEIRINTERNALIP to OURINTERNALIP (as per crypto map)

Just to add that these ACL's are configured via object groups in case that matters - also again that they are successfully transferring files to us - only I can't see where they are permitted.

Many thanks in advance

Mark

Federico Coto Fajardo · ‎11-29-2010

VPN traffic is flowing correctly and there's no ACL permitting UDP 500 or ESP?

Can you post the output of ''sh run all sysopt''

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-29-2010

Hi,

If you don't have the sysopt command permiting IPsec then VPN traffic is checked against the outside ACL.

But... do you have a permit ESP entry?

Do you see the permit ESP incrementing?

I don't recall right now... but VPN traffic might be permitted by ESP and allowed in... can you check this?

Federico.

monkeyboy · ‎11-29-2010

Hi Federico there is no explicit permit AH/ESP in the external ACL - from what I understand the PIX/ASA will terminate VPN connections without the sysopt command & without explicit VPN ACL's.. what I was wondering was whether the crypto ACL takes preference over the external PIX/ASA outside access-list for inbound traffic because that what it seems is happening.

To be honest I didn't set this up - when I've setup site-to-site I permit IP to IP in a dmz then filter after that.. however it looks like the guy that did this removed sysopt from the firewall in the understanding that the outside ACL will filter VPN traffic inbound.

I've just seen traffic come in via IPSEC VPN for THEIRINSIDEIP to OURINSIDEIP and yet the outside ACL is still 0 for that connection..

Thanks for your help so far

Mark

Federico Coto Fajardo · ‎11-29-2010

The crypto ACL is to define the interesting traffic.

The actual permission is given by the ACL applied to the outside interface (if not using the sysopt command).

In other words... without the sysopt... traffic will only be permitted if allowed by the outside interface ACL.

Can you post the relevant entries of that ACL?

Federico.

monkeyboy · ‎11-29-2010

Hi Federico - I've attached the config (I've sanitised our public IP's but you should get the drift) all of the connections that are permitted via VPN (insideIP to insideIP) are currently 0.

Cheers

Mark

Federico Coto Fajardo · ‎11-29-2010

VPN traffic is flowing correctly and there's no ACL permitting UDP 500 or ESP?

Can you post the output of ''sh run all sysopt''

Federico.

monkeyboy · ‎11-29-2010

brilliant, you've solved it - please see below: I was using sh run sysopt (it's been a while since I've used PIX!) - great that it doesn't show in the config too - sneaky!

MOJPIXS11-1# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp Outside
no sysopt noproxyarp DMZ
no sysopt noproxyarp Inside
no sysopt noproxyarp WebDMZ

thanks for your help

Mark

Outside ACL not incrementing for permitted traffic via site-to-site VPN