Re: IPSec VPN traffic issue

cperkins22 · ‎12-03-2012

I have a site to site VPN configured on a asa5505. The tunnel is up and the interesting traffic is successfully being encrypted. The issue is that when inbound traffic originating from a subnet outside of the encrypted range destin to the subnet within the encrypted range, the return traffic is sent into the tunnel and obviously fails.

My access-list

access-list inside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.224 10.2.2.0 255.255.255.0

access-list pci_nat0_outbound extended permit ip 10.1.2.0 255.255.255.224 10.2.2.0 255.255.255.0

When traffic from 1.1.1.0/24 to 10.2.2.0/24 traverse the firewall the return traffic goes into the tunnel but it doesn't have the correct match parameters?

Am I missing something? I'm expecting that only traffic matching the crypto map will use the tunnel and all other traffic will utilize the default route.

Sent from Cisco Technical Support iPad App

Jouni Forss · ‎12-03-2012

Hi,

The traffic you mention shouldnt be forwarded to the VPN connection.

Could you perhaps share your configuration (remove any sensitive information where needed) and we could check if there is any clear reason for this.

There is a possiblity (atleast if you are using a very new software version) that a NAT rule is overriding the routing table in your case. You might have a NAT rule that determines the eggress interface for example. EDIT: Didnt think before writing again Seems that you are using below 8.3 software atleast since you have a NAT0 rule access-list. In the newer software it isnt done in that way anymore.

If in doubt you could also use the "packet-tracer" to see what rules are being applied to the traffic you mention.

Command format is:

packet-tracer input

With the above command the ASA should list what happens to that type of connection when it enters the ASA in the specified input interface. Copy the output here if you use the command.

- Jouni

cperkins22 · ‎12-04-2012

Thanks for the reply Jouni, Yes I'm running 8.2.5 FIPS. Below is my packet tracker, notice that phase 4 appears to hit the vpn.

FW-1# packet-tracer input inside tcp 1.1.1.13 1024 10.1.2.5 139

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.2.0 255.255.255.224 pci

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit tcp host 1.1.1.13 10.1.2.0 255.255.255.224 eq netbios-ssn

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 449106, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: pci

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎12-04-2012

Hi,

Would it be possible to get the configuration of the firewall (minus any sensitive information) so I can go through it? Would be much easier to look through the whole situation.

- Jouni