topic If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel? in Network Security

If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

CiscoBrownBelt — Fri, 21 Feb 2020 17:16:29 GMT

Say the interesting traffic is ANY source on the ASA where you have IPSEC tunnels built. If I ping a destination IP which is deemed interesting traffic, what is a good way confirm the traffic is taking the IPSEC tunnel?

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

balaji.bandi — Wed, 03 Jul 2019 21:22:08 GMT

if the default route interface tunnel yes, if not take - depends on source IP it will take path for outbound traffic.

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

CiscoBrownBelt — Wed, 03 Jul 2019 21:29:21 GMT

I am not sure if I follow given its an IPSEC on no tunnel inteface IP like gre. The default route on the ASA does not point to a tunnel destination. Is that what you mean?

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

CiscoBrownBelt — Wed, 03 Jul 2019 21:39:52 GMT

To add, the default route points to next hop of outside interface which is what tunnel uses?

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

Rob Ingram — Wed, 03 Jul 2019 21:45:17 GMT

Hi,
If the source and destination IP addresses are referenced in the crypto ACL (identified as interesting traffic) then traffic should go via the VPN tunnel.

If those networks are private IP address (RFC 1918) then they would not be routeable over the internet and therefore could only be routed over a tunnel.

You can confirm the path of the traffic via packet capture on the remote ASA.

HTH

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

CiscoBrownBelt — Wed, 03 Jul 2019 21:47:23 GMT

I can't access the remote device.
For interesting traffic, the source is ANY so that means it should take it correct?

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

Rob Ingram — Wed, 03 Jul 2019 21:51:19 GMT

What is the output of "show crypto ipsec sa" are the encaps and decaps increasing?

What is the configuration of the other firewall? Is the destination "any"?
What is the output of "show crypto ipsec sa" on the remote device? encaps|decaps?

Do you have a NO-NAT rule defined, to ensure the traffic is not unintentially natted?

HTH

Re: If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

balaji.bandi — Thu, 04 Jul 2019 07:29:56 GMT

What i meant was, by defautl you are pointing your Public Facing IP address towards ISP, that way you able to establish Tunnels.

So if you ping from the device it uses Public IP address so it will go to ISP.

If you have setup ACL and they are part of IPSEC Tunnel intresting traffic, if you source them they use Tunnel.

First step is - make sure your IPSEC Tunnel up and running, other side also allow your IP RANGE ( no duplication of IP RANGe, if any you need do double NAT.)

you can check with show crypto command for the traffic going via tunnel.

it would be nice provide more configuration both the sides including show crypto information to suggest best.