Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How is this VPN still working when part of the config is removed?!

Hi,

Attached is the part of the config of my Cisco 877 router at a remote small office. It connects to a Cisco ASA at the HQ where all servers are kept.

The VPN is working fine and I have been testing with the ACL on the 877 and realiased nothing I changed on the config made any difference. So under "Interface Dialer1" I removed "ip access-group inbound_acl in) and then deleted "ip access-list extended inbound_acl" and the VPn is still fine!!

The remote site can connect to all systems over the VPN and visa versa, I thought "ip access-list extended inbound_acl" allowed inbound access to this remote site - clearly not.

I can only think the SA "access-list 101 permit ip 172.19.2.0 0.0.0.255 any"

and

"crypto map MY_Crypto_Map 10 ipsec-isakmp

match address 101"

Are allowing all the traffic through,?

Hope you can clear this confusion up for me.

16 REPLIES
New Member

Re: How is this VPN still working when part of the config is rem

The tunnel actually bypasses the ACL on the dialler interface.

These lines in the inbound ACL make sure the tunnel itself remains up

permit ahp host x.x.x.x any

permit esp host x.x.x.x any

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

If you want to limit access it could be done on the interface towards your LAN (outbound ACL) or on the remote site (better).

New Member

Re: How is this VPN still working when part of the config is rem

Thanks,

but I removed:

These lines in the inbound ACL make sure the tunnel itself remains up

permit ahp host x.x.x.x any

permit esp host x.x.x.x any

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

and the tunnel stayed up too

"If you want to limit access it could be done on the interface towards your LAN (outbound ACL) or on the remote site (better)."

Do you mean I should just get my Cisco ASA to lock down the traffic?

Thanks

New Member

Re: How is this VPN still working when part of the config is rem

You are trying to apply an ACL to encrypted traffic. Your firewall / router is allowing the traffic because it is looking at the tunnel header. You need to apply the inbound_acl inbound on the inside interface before it is encrypted.

The other option is to adjust your crypto acl to not define that traffic as "interesting".

New Member

Re: How is this VPN still working when part of the config is rem

Hi, I'm getting a little confused so I do apologies.

1.) So the "inbound_acl" that I put on the dialer 1 interface inbound to the remote office LAN is being bypassed because the traffic is already encrypted through the VPN? So this is why the ACL is not required?

2.) So what interface should it be on as I only have dialer 1 and VLAN 1 for the LAN.

3.) These lines in the inbound ACL make sure the tunnel itself remains up

permit ahp host x.x.x.x any

permit esp host x.x.x.x any

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

but I removed the ACL "inbound_acl" and the tunnel remains up still is this right?

4.) Because this router is setup as a VPN does it mean that traffic is trusted and and ACL/ACE are not required, but can be if you want to lock it down?

Thanks and sorry for the questions, it's funny as I had a Cisco CCNP it do do this with me and he created the config.

New Member

Re: How is this VPN still working when part of the config is rem

1. I am not saying it is being bypassed. The portion of the ACL that deals with private IP addresses will never match because that portion of the packet has been encrypted.

2. I can only see a portion of the configuration and I don't know what your network looks like so it is impossible to say. Where do all these 192.168 networks reside? Where are the 172.19 networks?

3. It is true that if you are going to apply an ACL to the Dialer1 interface you need to have protocol 50 and port 500 permitted but the tunnel does not require an acl. If you remove the ACL the VPN will still connect. The crypto ACL is the only ACL that is required.

access-list 101 permit ip 172.19.2.0 0.0.0.255 any

4. Again the router doesn't require an ACL but it would certainly be best practice to include one.

I am going to assume that the 192.168 networks are on the ASA side and the 172.19 networks are on the 877 side.

If that is true you might put this portion of the ACL on the inside interface of your ASA

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255

permit udp host 192.168.21.19 host 172.19.2.1 eq snmp

Leave this portion of the ACL where it is

permit udp any any eq isakmp

permit esp any any

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

permit icmp any any

permit udp any any eq ntp

permit ahp host 80.171.150.66 any

permit esp host 80.171.150.66 any

permit udp host 80.171.150.66 any eq isakmp

permit udp host 80.171.150.66 any eq non500-isakmp

New Member

Re: How is this VPN still working when part of the config is rem

I appreciate your time and help very much.

1.) So the ACl has to be applied before encryption or after, thing is I only have 2 interfaces, dialer 1 for the WAN and vlan 1 for the LAN.

2.) You are right - The 192.168 IP are at the HQ where the Cisco ASA is, the 172.19 range is at the remote office where this config is from.

3.) SI see I did add an ACL to the dialer 1 but had no ACE's in the ACL and the VPN worked fine, is add port 50 and 500 inbound then just good practice to add them?

4.) I see you get the ASA to control the inbound access to the ASA, is there any way to get the 877 to control this?

New Member

Re: How is this VPN still working when part of the config is rem

There are 2 ways to control what traffic can transition the tunnel.

1. You can use the crypto ACL and only include those addresses that you want to access the far end network.

2. You can use an ACL on the inside interface (either inbound or outbound) to block the traffic before it enters or as it exits the tunnel.

It is most common to block traffic with an ACL on the inside interface before it enters the tunnel because it prevents the traffic from wasting your bandwidth only to be blocked on the far side.

If you had an ACL applied to the Dialer interface with no ACE it would only include a deny any any. I can't explain that. A VPN tunnel would require these ACE entries at a minimum.

permit udp any any eq isakmp

permit esp any any

New Member

Re: How is this VPN still working when part of the config is rem

1.) I understand, I could just remove then "any" and add the subnets over at the ASA side, can you confirm if this is best practice? Would this mean all ports are open for these ranges (no port blocking)?

2.) When you say "inside interface" I understand this for the ASA, but would this be the dialer 1 or VLAn 1 interface on the 877?

2.1) "It is most common to block traffic with an ACL on the inside interface before it enters the tunnel because it prevents the traffic from wasting your bandwidth only to be blocked on the far side." is this both side of the tunnel?

3.) I'm pretty sure I removed my ACL and left the "ip access-group inbound_acl in" on the dialer 1 only and it still worked. Did you say it would be bypassed anyway because of encryption.

This has all come about because I can't seem to git this inbound ACL on the dialer 1 to do take notice. Can I do a test to see if it can block any inbound traffic from the ASA?

New Member

Re: How is this VPN still working when part of the config is rem

1. I wouldn't recommend using the crypto ACL to filter traffic. It definitely isn't best practice.

2. It would be the VLAN 1 interface.

2.1 Yes both sides of the tunnel. To filter 192.168 traffic from reaching the 172 network you would place an ACL on the inside interface of the ASA in the inbound direction. To filter 172 traffic from the 192 network you would place the ACL on the VLAN 1 interface in the inbound direction.

If you want to test this try adding an ACL on the VLAN1 int. in the outbound direction on the 877.

ip access-list extended 877_V1_OUT

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255

permit udp host 192.168.21.19 host 172.19.2.1 eq snmp

New Member

Re: How is this VPN still working when part of the config is rem

Update:

1.) I kept the "inbound_acl in" on dialer1 and just had this ACL

ip access-list extended inbound_acl

permit udp host 80.171.150.66 any eq isakmp

permit esp host 80.171.150.66 any

deny ip any any log

It seems as soon as I added "permit esp host 80.171.150.66 any" everything from the ASA 192 side is given access to the 172 remote LAN. If I remove it then I can no longer access anything at the remote 172 site.

2.) Also (apologies for missing this) in the config I have:

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

interface Vlan1

ip address 172.19.2.1 255.255.255.0

ip inspect outbound in

What is this doing, is it dynamically opening the ports inbound ports to the VLAN? Well I removed it and nothing changed.

Re: How is this VPN still working when part of the config is rem

When VPN-traffic arrives at your interface Dialer1, it is still encapsulated. This implies that the contents are NOT inspected by the acl that monitors your incoming traffic.

Also, since this is a router, having no acl means all traffic is permitted by default.

What is allowed through the VPN is determined by your acl 101.

regards,

Leo

New Member

Re: How is this VPN still working when part of the config is rem

So to control traffic I should stick the ACL in the VLAN1?

New Member

Re: How is this VPN still working when part of the config is rem

That would work. Personally I never stick an ACL on a VLAN interface, only inspection rules, but rather on the physical interface (in your case probably FastEthernet). The 877 should have a physical connection to the LAN with one of the interfaces, and setting it up on the physical interface is better than the VLAN interface.

Although it would be better to configure the remote site to never allow the traffic into the tunnel in the first place.

New Member

Re: How is this VPN still working when part of the config is rem

Hi,

1.) There is an inspection rule inbound on the VLAN1 (same as the fastethernet), what does this do compared to an ACL?

ip inspect tcp reassembly queue length 64

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

interface Vlan1

ip address 172.19.2.1 255.255.255.0

ip inspect outbound in

2.) Also at the ASA 192 side where it seems any subnet I go on to try and access this 877 can, as I'm using "any" it's allowing any ip range? Then I should simply do the blicking on the ASA?

New Member

Re: How is this VPN still working when part of the config is rem

1.) ip inspect are essentially rules. For more information see

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1185863

2.) any means any host can pass regardless of IP address. You might want to modify this access-list to permit only hosts you want to. But when doing so, make sure you permit anything that needs to be permitted. There may be a requirement to allow more hosts to access for example HTTP through the tunnel.

New Member

Re: How is this VPN still working when part of the config is rem

1.) so they are sort of dynamic rules and only get created when needed. I have them on the inbound on VLAN1 so i take these rules get created when traffic from the other side of the VPN tries to enter the LAN of the 877 router?

2.) We have to tunnel all traffic including http internet traffic through the VPN as it gets monitored and filtered back at the HQ. So I guess I "any" is there to cover this?

Do I even need the inspect rules as they other chap said "having no acl means all traffic is permitted by default.

What is allowed through the VPN is determined by your acl 101"

166
Views
0
Helpful
16
Replies
CreatePlease to create content