Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
3
Replies

Site-to-Site VPN question

purva.kate
Level 1
Level 1

‎08-23-2014 03:50 AM

Hi,I was working on L2L VPN config,and had some doubt

 

Now,the default hierarchy of how a Policy is applied for RA VPN goes - Dynamic Access Policy ,User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy.I am not sure if such hierarchy applies to L2L VPN.

 

I have a Crypto ACL name outside_crypto_10 .And under Tunnel-group i have Group-Policy called TEST_FILTER .And under that Group-Policy i have a vpn-filter value TEST_FILTER.

 

My question is,when the traffic is generated which matches the outside_crypto_10 ACL ,it will go via tunnel.

  1. If the traffic doesn't match anything in outside_crypto_10 ACL ,will it look that under vpn-filter "TEST_FILTER" ?
  2. If yes, in what direction should we have the ACL in "TEST_FILTER" defined,like access-list TEST_FILTER extended permit ip (Internal Network )  (Peer End Network) or vice-versa access-list TEST_FILTER extended permit ip  (Peer End Network) (Internal Network ) .
  3. Should we be needing the Interface ACL,no NAT,Outside ACL.
  4. Also i read in the hierarchy of how a Policy is applied for RA VPN ,if it finds a matching parameter it will by-pass the parameters under it for that. Like if it finds a matching Dynamic Access Policy for a User,it will not look it again under User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy . So will such case happen with the L2L VPN ? Like if it finds a Crypto ACL ,will it bypass the TEST_FILTER or will consider that too ?

 

crypto map outside_map 10 match address outside_crypto_10
crypto map outside_map 10 set pfs 
crypto map outside_map 10  set peer 2.2.2.2
crypto map outside_map 10 set ikev1 transform-set aes-256-sha
crypto map outside_map 10 set security-association lifetime seconds 3600
`
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
 default-group-policy TEST_FILTER
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key *****
 
group-policy TEST_FILTER internal
group-policy TEST_FILTER attributes
 vpn-filter value TEST_FILTER
Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎08-23-2014 05:39 AM

Hi,

Please find the clarification for your queries.

  • If the traffic doesn't match anything in outside_crypto_10 ACL ,will it look that under vpn-filter "TEST_FILTER"

Ans: The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#configs

  • If yes, in what direction should we have the ACL in "TEST_FILTER" defined,like access-list TEST_FILTER extended permit ip (Internal Network )  (Peer End Network) or vice-versa access-list TEST_FILTER extended permit ip  (Peer End Network) (Internal Network ) .

Ans:Yes.  It will be on inbound direction as  said in my previous answer. But i can also be bi-directional if needed.

  • Should we be needing the Interface ACL,no NAT,Outside ACL.

Ans: Interface ACL's can be skipped by issuing sysopt connection permit-vpn.

No-NAT ACL is must in case if we are using communication between private network LAN's.

  • Also i read in the hierarchy of how a Policy is applied for RA VPN ,if it finds a matching parameter it will by-pass the parameters under it for that. Like if it finds a matching Dynamic Access Policy for a User,it will not look it again under User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy . So will such case happen with the L2L VPN ? Like if it finds a Crypto ACL ,will it bypass the TEST_FILTER or will consider that too ?

Ans: It considers both and VPN filters are widely used to restrict on port based communication between sites.

 

 

Regards

Karthik

0 Helpful

purva.kate
Level 1
Level 1
In response to nkarthikeyan

‎08-30-2014 04:13 AM

Thankyou nkarthikeyan for your reply.

 

So,you mean first it will use the Crypto ACL outside_crypto_10 ACL to travel through the Tunnel.

Once it reaches the ASA ,it will be restricted by the  vpn filter TEST_FILTER.

 

So ,if this is the case,I guess best setup would be to allow ip traffic in Crypto ACL,and restrict on Ports in the vpn filter .

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to purva.kate

‎08-31-2014 08:49 PM

Yeah... You are right....

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents