04-06-2018 01:51 AM - edited 03-12-2019 05:10 AM
Hi all,
I have a site to site vpn with aws, and i have restricted all the inbound traffic using an acl explicitly by denying any any(for both ip and icmp). still users from aws can access my network and can also rdp in, and also ping my network
Your help and advice is much appreciated.
04-06-2018 07:15 AM
04-09-2018 12:51 AM - edited 04-18-2018 02:25 AM
hi @GioGonza,
below is the config i am using for vpn-filter
access-list amzn-filter extended permit ip remote subnet local subnet
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group x.x.x.x
general-attributes
default-group-policy filter exit tunnel-group x.x.x.x
general-attributes default-group-policy filter
exit
04-18-2018 02:28 AM
hi @GioGonza
do need any more information?
04-18-2018 02:29 AM
hi @ GioGonza
do need any more information?
04-18-2018 12:37 PM
Hello @M Mohammed,
Can you share the information for the ACL you have on the filter? vpn-filter value amzn-filter
Also can you try a packet-tracer from your ASA in order to verify what is happening with the packet?,
packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y
Share the output for this command: show vpn-sessiondb detail l2l filter <IP address>
HTH
Gio
04-19-2018 01:59 AM
ACL you have on the filter? vpn-filter value amzn-filter
access-list amzn-filter extended permit ip object AWS-10.200.0.0_16 object gc-it
access-list amzn-filter extended deny ip any any
packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS-10.200.0.0_16 AW-10.200.0.0_16
Additional Information:
NAT divert to egress interface outside
Untranslate 10.200.200.172/0 to 10.200.200.172/0
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside control-plane
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_23 any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_23
network-object object gc-it
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description class-default
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS-10.200.0.0_16 AWS-10.200.0.0_16
Additional Information:
Static translate 10.10.9.13/0 to 10.10.9.13/0
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description class-default
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS_US_10.200.0.0_16 AWS_US_10.200.0.0_16
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 129376265, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
show vpn-sessiondb detail l2l filter <IP address>
Session Type: LAN-to-LAN Detailed
Connection : x.x.x.x
Index : 51311 IP Addr : x.x.x.x
Protocol : IKEv1 IPsecOverNatT
Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1
Bytes Tx : 2030735772 Bytes Rx : 2201564526
Login Time : 13:05:10 GMT/BDT Mon Apr 9 2018
Duration : 9d 20h:37m:15s
IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1
IKEv1:
Tunnel ID : 51311.1
UDP Src Port : 4500 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 26341 Seconds
D/H Group : 2
Filter Name : amzn-filter
IPsecOverNatT:
Tunnel ID : 51311.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.200.0.0/255.255.0.0/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 3600 Seconds Rekey Left(T): 2476 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4604122 K-Bytes
Idle Time Out: 15 Minutes Idle TO Left : 15 Minutes
Bytes Tx : 2030747628 Bytes Rx : 2201586217
Pkts Tx : 6479463 Pkts Rx : 7061222
04-19-2018 08:52 AM
Hello @M Mohammed,
Checking the results for the command show vpn-sessiondb .... your VPN tunnel has the correct ACL for it:
IKEv1:
Tunnel ID : 51311.1
UDP Src Port : 4500 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 26341 Seconds
D/H Group : 2
Filter Name : amzn-filter
My first suggestion is to remove the line denying ANY ANY:
no access-list amzn-filter extended deny ip any any
For that to take the change you need to bounce the VPN tunnel, on the other hand I don´t know what is the configuration you have on object gc-it, it could be a subnet or host but the thing here is that you need to run the packet-tracer with the traffic that is not allowed and we should see the drop on the following phase:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: ALLOW
Config:
Additional Information:
Also, try to run the packet-tracer with detail at the end: packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y detailed
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide