Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
0
Helpful
2
Replies

Issue trying to setup VPN IPSec tunnel using extended acl

mococo001
Level 1
Level 1

‎07-15-2015 06:47 AM - edited ‎03-11-2019 11:16 PM

Hi,

 

I'm currently trying to setup a VPN IPSec tunnel with an ASA (9.3.1 version) with a SaaS proxy provider.

In order to only redirect web traffic I've been using extended acl matching services http and https for redirection in the tunnel.

 

However, it appears to not work as expected.

To prepare such configuration, I used templates from proxy provider.

Anyone has a clue?

 

 

Here's an extract of the configuration that I've been using:

group-object service PXY_SVC
service-object tcp destination eq 443
service-object tcp destination eq 80


! ACL definition (encryption domain) for the  IPSec tunnel
 
!access-list PXY-ACL extended deny ip *src_definition* *dst_definition*  
access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any 
 
 
! Phase 2 config
 
crypto ipsec ikev1 transform-set esp-null-md5 esp-null esp-md5-hmac
 

 
crypto map outside 7 match address PXY-ACL
crypto map outside 7 pfs
crypto map outside 7 set connection-type originate-only
crypto map outside 7 set peer x.x.x.x x.x.x.x
crypto map outside 7 set ikev1 transform-set esp-null-md5
crypto map outside 7 set security-association lifetime seconds 3600
 
! Phase 1 config
 
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
 
! Primary destination
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key **************
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 5
 
! Secondary destination
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key **************
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 5

object service TCP_80
service tcp destination eq www

object service TCP_443
service tcp destination eq https

nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_80 description NO NAT  HTTP
nat (inside,outside) source static SubnetTest SubnetTest destination static any any service TCP_443 description  NO NAT HTTPS

 

Thanks in advance for your help!

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-19-2015 12:20 AM

Hi,

Looking at the config:-

access-list PXY-ACL extended deny ip *src_definition* *dst_definition*  
access-list PXY-ACL extended permit object-group object PXY_SVC object SubnetTest any 

You can run into issues if *src_definition* *dst_definition* are included in PXY_SVC. You might want to set permit statement above the deny entry.

Suggested way would be to create IP based proxy ACL rather port based and then use VPN filter to restrict traffic to be sent over VPN tunnel.

Here is a good read on VPN filter and their implementation:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

In such case , you will have 
access-list PXY-ACL extended permit object-group SubnetTest any , as proxy ACL and then restrict the traffic using VPN filter.

{This post should be under VPN rather Firewalling domain for better visibility}

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎07-19-2015 09:31 AM

Please share the output of

show crypto isa sa

 debug crypto ikev1 127

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card