Re: Need to secure GRE traffic through ASA firewalls with IPSec tunnels

jpergolizzi · ‎02-13-2019

Hey folks, this is my first post here so I am hoping someone can assist. I am setting up a site-to-site connection in my lab using ASA firewalls and ISR routers on each end. The goal is to establish an IPSec tunnel between the ASA's and pass GRE tunnel traffic / EIGRP through the ASA's between the ISR routers. The ASA's, btw, are both running 8.4.

I have been able to establish the IPSec tunnel and also have the GRE tunnel and EIGRP working. However, I need to lock this down on the ASA as currently my access-list referenced by the crypto map is set to permit ip any any.

My attempts to lock this down have failed so far and all the reading I've done on the internet does not seem to be helping as it mostly references running IPSec/GRE on routers only.

Another note is that, on one end, we need to split-tunnel local traffic to the internet. So, the GRE tunnel traffic would not be NAT'd, but the local direct out to the internet (default route) would be NAT'd.

So I could use some help here. I've attached a network diagram. I will grab the configs and add them shortly.

Thanks,

Jim

Marius Gunnerud · ‎02-13-2019

As for "locking down" traffic going over the tunnel, you could just add an ACL to the VTI interface on the ASAs.

Regarding split tunnel. Since you are using GRE you should be able to advertise the routes you want to go over the GRE tunnel in EIGRP and just configure a default route for internet traffic.

--
Please remember to select a correct answer and rate helpful posts

slicerpro · ‎02-13-2019

I agree on the alternative way to lock down the traffic, I would only add that the VTI interfaces would be on the ISR's, as ASA 8.4 would not support them.

jpergolizzi · ‎02-13-2019

Marius, hi there, thanks for the response. We are not running VTI's on the ASA, the tunnel interfaces are on the ISR routers and the ASA only provides IPSEC encryption of the GRE traffic and default-outbound NAT traffic.

slicerpro · ‎02-13-2019

On the asa's the crypto acl should contain the GRE source/destination IP's, then you should do twice-nat for that traffic on the asa as well. With that, the rest of the traffic will be natted and not be sent on the tunnel.

jpergolizzi · ‎02-13-2019

Hey all, thanks for all the responses so far, my apologies for not getting config snippets up front. I've attached configs for the ISR router and ASA firewall on the remote site side.

Thanks,

Jim

jpergolizzi · ‎02-13-2019

Made an additional tweak to NAT in the remote-side ASA.

Changed from:

nat (Inside,outside) source static 10-X-X-X-All 10-X-X-X-All destination static 10-X-X-X-All 10-X-X-X-All no-proxy-arp
!

nat (Inside,outside) after-auto source dynamic any interface

TO:

nat (Inside,outside) source static FS#52_ISR4431_LOOPBACK0 FS#52_ISR4431_LOOPBACK0 destination static CTYHL_ISR4551_LOOPBACK0 CTYHL_ISR4551_LOOPBACK0 no-proxy-arp
!
nat (Inside,outside) after-auto source dynamic FS#52_INSIDE_NETWORKS interface
nat (Inside,outside) after-auto source dynamic FS#52_GUEST_WLAN_LAN interface

The IPSec tunnel is still up, as is the GRE tunnel and EIGRP neighbors. So I am thinking now that, at least for the NAT piece, this should basically do the following:

1. Perform NAT identitiy (no NAT) on the ISR loopback interfaces (these are the source for the tunnels)

2. Perform auto-nat on the internal networks to the outside interface ip

3. Perform auto-nat on the internal Guest_WLAN net to the outside interface ip

Does this sound right?

Here's my xlate and conn table:

s52fdnfwlcfw01# sh xlate
6 in use, 80 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from Inside:10.218.232.1 to outside:10.218.232.1
    flags sIT idle 0:18:56 timeout 0:00:00
NAT from outside:10.218.232.2 to Inside:10.218.232.2
    flags sIT idle 0:18:56 timeout 0:00:00
NAT from outside:0.0.0.0/0 to Inside:0.0.0.0/0
    flags sIT idle 0:12:27 timeout 0:00:00
NAT from outside:0.0.0.0/0 to Inside:0.0.0.0/0
    flags sIT idle 0:08:40 timeout 0:00:00

s52fdnfwlcfw01#

s52fdnfwlcfw01# sh conn
4 in use, 84 most used

GRE outside 10.218.232.2:0 Inside 10.218.232.1:0, idle 0:00:04, bytes 1243024, flags
GRE outside 10.218.232.2:0 Inside 10.218.232.1:0, idle 0:00:00, bytes 1244708, flags
s52fdnfwlcfw01#

jpergolizzi · ‎02-14-2019

Folks, think I might have gotten some more of this. I updated the crypto acl's today to permit GRE between the loopbacks on each side. The tunnel (IPSec and GRE) are still up and passing traffic. So I think the last piece is to create the acl's for the NAT'd default outbound traffic to the internet.

Here's the snippets if someone can validate I'd appreciate it.

object network FS#52_ISR4431_LOOPBACK0
host 10.218.232.1
description GRE Tunnel Source
object network CTYHL_ISR4551_LOOPBACK0
host 10.218.232.2
description GRE tunnel dest

access-list FS#52_CRYPTOMAP_ACL extended permit gre object FS#52_ISR4431_LOOPBACK0 object CTYHL_ISR4551_LOOPBACK0 log

nat (Inside,outside) source static FS#52_ISR4431_LOOPBACK0 FS#52_ISR4431_LOOPBACK0 destination static CTYHL_ISR4551_LOOPBACK0 CTYHL_ISR4551_LOOPBACK0 no-proxy-arp
!
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

crypto map outside_map 1 match address FS#52_CRYPTOMAP_ACL
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map interface outside