I have a L3 4507 which does OSPF over a WAN , but I also does the routing into Internet.
I have a host on the inside (10.100.1.23/24) which I need to route into the internet over a native IPSEC tunnel on port 22.
All other traffic from this host should go into OSPF not VPN.
I have made a route map on the switch matching an ACL which permits 22 for that host and sets the next-hop as the FW inside interface IP.
Now , with TCP in the ACL, it is not working , all traffic is being sent into OSPF over that WAN originating from that source.
If I modify the ACL and replace TCP with IP , then it works , but all traffic from the host will be sent over the IPSEC tunnel which I dont want.
I could not really find any valid answer to this, so help is much wanted and appreciated!
Solved! Go to Solution.
Can you show us the ACL matching the TCP protocol?
Maybe it's only me, but what do you mean by "port 22"? Source? Destination?
If the source IP address is on switchport vlan, the ip policy will have to be apply to that vlan. I noticed there not enough information to be able to provide more feedback, but ensure that the ACL is setup for logging and it is being matched in the router. the ip policy command is key here if the ACL is being used and it's propertly configured. Also, setup capture on the FW for outbound traffic for the same host.
The ACL is this :
ip access-list ext ALLOWVPN permit tcp host 10.100.1.23 any eq 22.
And the route-map sets the next-hop as the FWs inside.
The ACL is matched in the route-map and the route map is applied on the SVI.The thing is like this , there is no traffic reaching the FWs inside.
If I change it to "ip" instead of "tcp" , then everything is good!
if the FW inside interface is also the management interface for the FW, the packet is being drop by the firewall. Have you capture traffic on the FW inside interface? Also, the ACL is configured to allow ssh to any host, so have you try to ssh to the fw inside interface. If you can not connect to it, then you will find out the reason while the ACL is not working. I am assuming the ACL is match with both tcp and/or IP, but the FW does not see this traffic the same way the router is. router is forwarding packet and FW is inspecting and applying rules to the traffic and it probably being block even before it get to any ACL on it.
Thanks for this!
What you mean is , the FWs inside being the interface to where I connect with SSH for management? If this is what you meant , then yes..we are managing the FW through the inside with SSH indeed.
I have done some captures and with TCP in the ACL the traffic does not even reach the FW ,with IP - no problem , traffic reaches the FW and is forwarded out!
There must be something in this situation that I am not understanding correctly. What I think I understand is that if you have the access list specify ip host selection that there are matches in the access list and that traffic is correctly forwarded to the firewall for VPN (which indicates that the PBR configuration is correct). But that if you change the access list to specify tcp port 22 that there are still matches in the access list but that the traffic is not forwarded to the firewall.
Perhaps you can provide some clarification?
- is it possible that something is changing more than just the access list?
- is it possible that there is something between the device doing PBR and the firewall that is dropping the tcp port 22 traffic?
- is it possible that the firewall is denying the tcp port 22 traffic for some reason?
- is it possible that the firewall is not sending the port 22 traffic through the VPN for some reason?
Your understanding is good , it took me some time as well to understand 'cause the issue is not actually mine , but a friend of mine's and he has not really provided me with to much details as he is not allowed to do so !
But to answer your questions:
- is it possible that something is changing more than just the access list? He is only changing the ACL.
- is it possible that there is something between the device doing PBR and the firewall that is dropping the tcp port 22 traffic? The FW has the inside int connected to the same Vlan on which the PBR is applied.
- is it possible that the firewall is denying the tcp port 22 traffic for some reason? the port is being matched in the VPN ACL , but I am not sure if that is denied by the FW on a global or interface basis.
- is it possible that the firewall is not sending the port 22 traffic through the VPN for some reason?It is sending the ssh traffic , when the policy ACL matched IP packets not tcp 22 based on the crypto ACL.
I know this is strange , but to be honest this is pretty much all I know!