topic Issue trying to setup VPN IPSec tunnel using extended acl in Network Security

Issue trying to setup VPN IPSec tunnel using extended acl

mococo001 — Tue, 12 Mar 2019 06:16:09 GMT

Hi,

I'm currently trying to setup a VPN IPSec tunnel with an ASA (9.3.1 version) with a SaaS proxy provider.

In order to only redirect web traffic I've been using extended acl matching services http and https for redirection in the tunnel.

However, it appears to not work as expected.

To prepare such configuration, I used templates from proxy provider.

Anyone has a clue?

Here's an extract of the configuration that I've been using:

group-object service PXY_SVC
service-object tcp destination eq 443
service-object tcp destination eq 80


! ACL definition (encryption domain) for the  IPSec tunnel
 
!access-list PXY-ACL extended deny ip *src_definition* *dst_definition*  
access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any 
 
 
! Phase 2 config
 
crypto ipsec ikev1 transform-set esp-null-md5 esp-null esp-md5-hmac
 

 
crypto map outside 7 match address PXY-ACL
crypto map outside 7 pfs
crypto map outside 7 set connection-type originate-only
crypto map outside 7 set peer x.x.x.x x.x.x.x
crypto map outside 7 set ikev1 transform-set esp-null-md5
crypto map outside 7 set security-association lifetime seconds 3600
 
! Phase 1 config
 
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
 
! Primary destination
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key **************
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 5
 
! Secondary destination
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key **************
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 5

object service TCP_80
service tcp destination eq www

object service TCP_443
service tcp destination eq https

nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_80 description NO NAT  HTTP
nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_443 description  NO NAT HTTPS

Thanks in advance for your help!

Hi,Looking at the config:

Dinesh Moudgil — Sun, 19 Jul 2015 07:20:28 GMT

Hi,

Looking at the config:-

access-list PXY-ACL extended deny ip *src_definition* *dst_definition*
access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any

You can run into issues if *src_definition* *dst_definition* are included in PXY_SVC. You might want to set permit statement above the deny entry.

Suggested way would be to create IP based proxy ACL rather port based and then use VPN filter to restrict traffic to be sent over VPN tunnel.

Here is a good read on VPN filter and their implementation:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

In such case , you will have
access-list PXY-ACL extended permit object-group SubnetTest any , as proxy ACL and then restrict the traffic using VPN filter.

{This post should be under VPN rather Firewalling domain for better visibility}

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Please share the output

Mohammed al Baqari — Sun, 19 Jul 2015 16:31:46 GMT

Please share the output of

show crypto isa sa

debug crypto ikev1 127