Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site VPN ASA2ASA funny crypto ACL behaviour

Hi,

I am running a site to site VPN between two ASAs. It is working but it shouldn't be working, in my opinion there is a bug. The thing is that when I define the traffic to be encrypted in one ACL, this traffic is denied, and the tunnel doen't work. If I remove fromthe ACL the entries I am really interested in the encryption, it works....

So, for example.

I stablish a tunnel between the two ASAs and specify

access-list VPN extended permit ip host 172.16.0.60 host 172.20.24.60

crypto map colt_map 20 match address VPN

crypto map test_map 20 set peer 1.1.1.1
crypto map test_map 20 set transform-set TEST
crypto map test_map 20 set security-association lifetime seconds 3600
crypto map test_map 20 set security-association lifetime kilobytes 4608000

When I have this, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:

access-list VPN extended deny ip host 172.16.0.60 host 172.20.24.60

access-list VPN extended permit ip host 172.16.0.59 host 172.20.24.59

Then I have communication between 172.16.0.60 host 172.20.24.60 but not between 172.16.0.59 host 172.20.24.59.

It looks very funny to me. I am wondering if someone had this behaviour before or could explain it?

Thanks in advance.

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt

If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).

A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.

Federico.

8 REPLIES

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Hi,

It looks very weird, but by any chance the ACL VPN is the same ACL used for NAT on this ASA?

If the ACL VPN is for NAT it makes sense that you excempt from NAT the traffic between both IPs.

Please make sure that the NAT ACL and VPN ACL are not both access-list VPN

Federico.

Cisco Employee

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Hey,

My thought is that there is something conflicting in the configuration that is leading to this behavior. Can you send the current config of your ASA for us to have a look?

Thanks and Regards,

Prapanch

New Member

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Hi,

Config attached (I changed outside addresses, no worries about if there is any mistmatch with routing, that is ok..)

Thanks!!

New Member

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Do you know why ACLs for the encrypted tunnel have to be for IP traffic rather

for TCP for example?

The configuration I was talking about it is about that. When I enable the ACL only tcp traffic to specific ports, it stops working (even if on the other side it is configured the same).

Any BIG reason for this?

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Crypto ACLs are for IPsec so they should protect IP (should be defined as IP protocol) using either permit or deny statements.

If you don't want to communicate the entire IP protocol, but instead just TCP/UDP ports, then you can filter the VPN traffic (but still the crypto ACLs should be either permit/deny IP).

Another example for crypto ACLs is that the ''any'' keyword is discourage. This is because all inbound packets that lack IPsec protection are silently dropped, including packets for routing protocols, Network Time Protocol (NTP), echo, echo response, and so on...

So, Crypto ACLs are not regular ACLs, are access-lists used for IPsec to define IP traffic that is going to be either sent or not sent through an IPsec tunnel.

Federico.

New Member

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

So, to permit or deny specific traffic (TCP/UDP), an ACL to the interface with this specific traffic (denied or allowed) should be added right?

I also saw, it is possible with "group-policy" command; where you add in the specific ACL the tcp port to that you want or not to deny/allow and then in the von group add the group policiy where the ACL is added.

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Yes.

In ASAs all VPN traffic is not checked against the outside ACL because of one command: sysopt connection permit-vpn

You can see if that command is enabled by doing: sh run all sysopt

If you remove that command: no sysopt connection permit-vpn

then all VPN traffic will be checked against the interface ACL (and you can permit only what you need).

A better approach is to leave the default sysopt connection permit-vpn and create vpn-filter ACLs that are applied to the group-policy for the tunnel-groups that you need.

Federico.

New Member

Re: Site to site VPN ASA2ASA funny crypto ACL behaviour

Great stuff Federico. Thanks a lot.

532
Views
0
Helpful
8
Replies
This widget could not be displayed.