Solved: What are the required Permits for allowing IPSec using ASA 8.4 ?

jimmyc_2 · ‎11-08-2014

In my lab I successfully built an IPsec tunnel between two ASAs. There is a router in the middle to simulate the internet.

The tunnel only works when I allow ICMP echo.

Allowing ICMP 3,4 doesn't seem to matter.

I did not allow ESP, udp 4500 or udp 500 in the access-list, only ICMP echo. Are they now allowed by default?

That runs counter to what I've read in the textbooks.

Can someone tell me what are the default allowances for v8.4 and above? and what I need to allow in my ACL?

Thanks.

Aref Alsouqi · ‎11-10-2014

You are welcome.

You need to have some match on the crypto ACL to trigger the tunnel, either icmp or whatever, but not necessarily icmp traffic, example:

cess-list VPN extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
or
access-list VPN extended permit tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
or
access-list VPN extended permit icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Basically any match traffic would establish the tunnel.

If you do still unclear, please post your crypto ACL for review.

Regards,

Aref

View solution in original post

Marvin Rhoads · ‎11-08-2014

Whenever you put an ACL on an interface, anything not explicitly allowed will be denied - i.e you are in effect adding an implicit deny any any at the end of an ACL.

Remove the ACL or permit ESP (IP protocol 50) UDP ports 500 and 4500 (and possibly tcp/10000 for IPsec over TCP if yo have that configured) and you should be OK.

jimmyc_2 · ‎11-09-2014

Thanks Marvin,

Please see my reply to Aref for additional information.

The text books say I should open ICMP type 3 code 4, but say nothing about type 8, yet that is what I need to establish the tunnel??

Aref Alsouqi · ‎11-09-2014

Hi,
When the ASAs are acting as vpn terminators you would not need to allow neither udp port 500 nor 4500 on the interface access list, you would need to do that if ASAs are acting as NAT devices or on the routers in between the two ASAs, in addition by default ASAs crypto access lists would bypass any interface access list. Udp port 500 is being used by the ike negotiation, when you enable the crypto map on the ASA outside interface you already bind that port to ike negotiation, Instead udp port 4500 is being used only in case of the existence of PAT devices along the path, and that decision would be dynamically detected by nat-t feature if enabled on the ASA, one more feature would be ipsec pass through which allows the PAT capable devices to create L4 translations based on the values of SPI inside the packests, finally the crypto access list should define any valid traffic from one end to another, whether icmp or whatever to trigger the tunnel.

Regards,

Aref

jimmyc_2 · ‎11-09-2014

Thanks Aref,

I forgot that "sysopt connection permit-vpn" is on be default after 7.1...

That takes care of allowing ESP and UDP-500.

I still don't understand why the tunnel will not establish until I allow ICMP-Echo???

The pinging device is contained in the interesting traffic ACL, on both devices.

Neither device has NAT.

Aref Alsouqi · ‎11-10-2014

You are welcome.

You need to have some match on the crypto ACL to trigger the tunnel, either icmp or whatever, but not necessarily icmp traffic, example:

cess-list VPN extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
or
access-list VPN extended permit tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
or
access-list VPN extended permit icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Basically any match traffic would establish the tunnel.

If you do still unclear, please post your crypto ACL for review.

Regards,

Aref