Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
0
Helpful
2
Replies

L2L ACL issue with Cisco ASA to AWS Cloud

Go to solution
Warren
Level 1
Level 1

‎05-14-2019 07:16 AM

Good day;

 

Need help seeing what I am not seeing at the moment.  I have built a l2l to the AWS cloud I run a packet trace outbound and that passes but when I run packet tracer outbound in I keep getting denied by Implicit rule. I have gone over my configs and I don't see what is deny perhaps a fresh pair of eyes will see what I am not seeing.

Here is my config

 

object network dw01
host 10.20.10.103

object network dw01-NATLDN
host 10.180.0.103


object-group network Amazon.LocalLDN
network-object 10.180.0.0 255.255.255.0

object-group network Amazon-RemoteLDN
network-object 10.30.0.0 255.255.0.0


access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10
access-list amznLDN-filter extended permit ip 10.30.0.0 255.255.0.0 10.180.0.0 255.255.255.0


nat (INSIDE,OUTSIDE) source static dw01 dw01-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN


crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map 15 set pfs group2
crypto map OUTSIDE_map 15 set peer 52.56.71.96 
crypto map OUTSIDE_map 15 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 15 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 15 set nat-t-disable

tunnel-group 52.56.71.96 type ipsec-l2l
tunnel-group 52.56.71.96 general-attributes
default-group-policy Amazon-LDN
tunnel-group 52.56.71.96 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10

group-policy Amazon-LDN internal
group-policy Amazon-LDN attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value amznLDN-filter
vpn-tunnel-protocol ikev1

 

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738e6b38, priority=13, domain=capture, deny=false
hits=2884362251, user_data=0x73831aa0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x72f221c0, priority=1, domain=permit, deny=false
hits=31054542779, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 INSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cd1e50, priority=11, domain=permit, deny=true
hits=28748828, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

 

Thank you in advance for your help!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Warren
Level 1
Level 1

‎05-14-2019 09:00 AM

Apologies I should of tested this before posting but I took and existing connection into AWS that is working and did the same packet tracer and it failed.  So I went back and checked the new tunnel and I can see phase 1 and 2 complete.  I can see encaps but no decaps.  I can also see that the tunnel has established so the issue isn't with the tunnel it is the routing back from AWS.  Apologies for the headaches but appreciate all who looked

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Warren
Level 1
Level 1

‎05-14-2019 09:00 AM

Apologies I should of tested this before posting but I took and existing connection into AWS that is working and did the same packet tracer and it failed.  So I went back and checked the new tunnel and I can see phase 1 and 2 complete.  I can see encaps but no decaps.  I can also see that the tunnel has established so the issue isn't with the tunnel it is the routing back from AWS.  Apologies for the headaches but appreciate all who looked

0 Helpful

Go to solution
Warren
Level 1
Level 1

‎05-14-2019 09:38 AM

on more things I this I made a few updates I changed

 

no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

 

to 

access-list OUTSIDE_cryptomap_10 extended permit ip any object-group Amazon-RemoteLDN

as I found out AWS tunnels are route-based and they require that "any" be used in the cryptomap match ACL, and that all restrictions be done via VPN-Filter or routing

 

also removed 

no access-list amznLDN-filter extended permit ip host 52.56.71.96 host 207.126.125.10

filter traffic comes in from the remote end, and are applied after the tunnel is formed 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card