topic Re: tunnel drop in Network Security

tunnel drop

suthomas1 — Mon, 11 Mar 2019 19:00:11 GMT

we have below list for an ipsec tunnel

access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit tcp host 192.168.200.110 eq 6600 172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit udp host 192.168.300.130 172.16.100.0 255.255.255.248 eq domain

the other remote end of ipsec , when tries to even ping or trace to 192.168.200.110 or 192.168.300.130 , the vpn connection goes down.

why does it do so.

TIA.

Re: tunnel drop

Jitendriya Athavale — Tue, 26 Oct 2010 02:37:13 GMT

please brief u smore about what the 2 devices in question are and what kind of vpn is setup

also what exactly do you mean when you say that ping brings down the tunnel (is it that ping brings the tunnel down or the tunnel is not coming up at all )

Re: tunnel drop

suthomas1 — Tue, 26 Oct 2010 02:52:27 GMT

sorry for omitting those initially.

our end is an ASA and other end has cisco router.

Ipsec tunnel comes up without any problem at first and if ping is done from 172.16.100.2 or so ip to 192.168.100.0 /24 it works well.

however, whenever the remote end 172.16.100.0 255.255.255.248 pings or does traceroute to 192.168.200.110 or 192.168.200.130 , the tunnel goes down.

hope this information is much clearer.

thanks.

Re: tunnel drop

Jitendriya Athavale — Tue, 26 Oct 2010 03:20:45 GMT

so if i understand you right you say the tunnel gpoes down bcoz you dont see ping replies coming in

if that is the reason assuming access-list 195 is the acl to define vpn traffic or crypto traffic, as you can see you are allowing only spefic ports through vpn for that ip's that is hwy you are not able to ping if you want to allow everything between the 2 hosts use the following on crypto acl on both ends

access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.200.110 172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit ip host 192.168.300.130 172.16.100.0 255.255.255.248

the change has been highlighted in bold

Re: tunnel drop

suthomas1 — Tue, 26 Oct 2010 03:37:28 GMT

does that mean if we try to initiate connection to traffic not covered under define acl 195 , the tunnel will go down.

in that case how do we nail down the traffic to only the required tcp or udp ones rather than ip ..

thanks.

Re: tunnel drop

Jitendriya Athavale — Tue, 26 Oct 2010 03:53:12 GMT

the tunnel does not go down, the traffic does not go through the tunnel

so what ever tarffic is defined in that crypto acl only goes through the tunnel

can you please paste the output of

show run crypto -> on the asa

Re: tunnel drop

suthomas1 — Tue, 26 Oct 2010 04:11:49 GMT

thanks,

i have masked some values.

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto map kepp 60 match address 195
crypto map kepp 60 set peer y.y.y.y
crypto map kepp 60 set transform-set vpn
crypto map kepp 60 set security-association lifetime seconds 28800
crypto map kepp 60 set security-association lifetime kilobytes 4608000
crypto map kepp interface External
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn VPNASABU.abc.com
subject-name CN=VPNASABU
serial-number
crl configure
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Thank You

Re: tunnel drop

Jitendriya Athavale — Tue, 26 Oct 2010 04:23:57 GMT

yeah so as i said before

make cahnegs to that acl on both ends and pings will start working

Re: tunnel drop

Jitendriya Athavale — Tue, 26 Oct 2010 04:28:18 GMT

so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity

access-list 195 extended permit icmp host 192.168.200.110 172.16.100.0 255.255.255.248

access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248

hope this helps

let me know if you have more questions

Re: tunnel drop

Daniela Herrera — Tue, 26 Oct 2010 22:18:19 GMT

Hello!

As far as I know, the best practices are to select only "ip" for the access-list applied on the crypto map.

If you want to limit ports you can do it on your inside access-group ACLs for both ends or use a VPN-FIlter on the ASA.Here's a sample config for the VPN-Filters on the ASA:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

In any case.. if you are willing to test by limiting the protocol on the crypto map access-list, both ends most have exactly the same access-list (mirrored) for the VPN to work. I understand this makes the encryption process harder for the appliance since more Security Associations are created when specific ports are selected instead of when only IP is selected.

Regards,