07-15-2015 06:47 AM - edited 03-11-2019 11:16 PM
Hi,
I'm currently trying to setup a VPN IPSec tunnel with an ASA (9.3.1 version) with a SaaS proxy provider.
In order to only redirect web traffic I've been using extended acl matching services http and https for redirection in the tunnel.
However, it appears to not work as expected.
To prepare such configuration, I used templates from proxy provider.
Anyone has a clue?
Here's an extract of the configuration that I've been using:
group-object service PXY_SVC service-object tcp destination eq 443 service-object tcp destination eq 80 ! ACL definition (encryption domain) for the IPSec tunnel !access-list PXY-ACL extended deny ip *src_definition* *dst_definition* access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any ! Phase 2 config crypto ipsec ikev1 transform-set esp-null-md5 esp-null esp-md5-hmac crypto map outside 7 match address PXY-ACL crypto map outside 7 pfs crypto map outside 7 set connection-type originate-only crypto map outside 7 set peer x.x.x.x x.x.x.x crypto map outside 7 set ikev1 transform-set esp-null-md5 crypto map outside 7 set security-association lifetime seconds 3600 ! Phase 1 config crypto ikev1 enable outside crypto ikev1 policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 3600 ! Primary destination tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes ikev1 pre-shared-key ************** peer-id-validate nocheck isakmp keepalive threshold 10 retry 5 ! Secondary destination tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes ikev1 pre-shared-key ************** peer-id-validate nocheck isakmp keepalive threshold 10 retry 5 object service TCP_80 service tcp destination eq www object service TCP_443 service tcp destination eq https nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_80 description NO NAT HTTP nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_443 description NO NAT HTTPS
Thanks in advance for your help!
07-19-2015 12:20 AM
Hi,
Looking at the config:-
access-list PXY-ACL extended deny ip *src_definition* *dst_definition*
access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any
You can run into issues if *src_definition* *dst_definition* are included in PXY_SVC. You might want to set permit statement above the deny entry.
Suggested way would be to create IP based proxy ACL rather port based and then use VPN filter to restrict traffic to be sent over VPN tunnel.
Here is a good read on VPN filter and their implementation:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html
In such case , you will have
access-list PXY-ACL extended permit object-group SubnetTest any , as proxy ACL and then restrict the traffic using VPN filter.
{This post should be under VPN rather Firewalling domain for better visibility}
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-19-2015 09:31 AM
Please share the output of
show crypto isa sa
debug crypto ikev1 127
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide