I have a working site-to-site IPsec VPN (created with the ASDM wizard), where the remote hosts come into our network through the range 172.16.203.0/24, and they can access some hosts in our local DMZ at addresses 220.127.116.11.
But, I don't have a good conceptual understanding of how the ASA processes these packets. Are they from the Outside interface? Does the VPN magically map them into the DMZ or Inside interface? What controls this?
I was hoping to use the built-in Packet Tracer to experiment with this, but I don't know how to get the Packet Tracer to use the VPN tunnel. Is there a way to set the Packet Trace to be as if its source is via an established VPN connection?
Without hinting to the Packet Tracer to use a VPN conneciton, then if I trace from the outside port, the packets are blocked, because generic outside packets can't get here, only packets via the VPN. Or, if I source the packet tracer packets from inside, then they are dropped because "Reverse-path verify failed". (I'm not sure if this is merely because the Packet Trace is not using the VPN, or if I sould actually add the VPN ranges to my inside definitions.) Again, the actual tunnel seems to work, but I can't figure out how to experiment with it via ASDM traces.
Also, and related to my cluelessness about understanding where VPN packets seem to come from, and how is this related to "sysopt connection permit-vpn"?
Thanks for any clues you can share.
Look, if you had reverse route injection it would demonstrate that the network is posted on the interface where the tunnel is applied, in most cases outside, if you don´t have this feature on then run with the idea that if it is not in your routing table and in that case it is placed at your default gateway.
You won´t get a successful packet tracer if you originate the packet from the outside to the inside since the packet is not encapsulated the packet tracer will give you a drop. When you run a packet-tracer for IPSec LAN to LAN you do it from the local network to the remote VPN network.
I need more details regarding your configuration so I can continue explaining so show tech would be greatly appreciated.
Sysopt connection permit-vpn
That is for traffic that is part of VPN to not need to go through the ACLs applied on the interface.
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists.