Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
15
Helpful
6
Replies

S2S VPN Tunnels and ACE entries

Go to solution
keithcclark71
Level 3
Level 3

‎09-19-2022 08:24 AM

I was under impression that for S2S tunnel on each side that along with NAT for the tunnel that one has to define firewall rules for remote tunnel access through outside interface to inside interface and that also from the inside interface a rule allowing inside network to remote tunnel network. From what I see it seems that all I need is Inside network to Remote network ? How are access list rules applied to the tunnels?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-19-2022 08:43 AM

@keithcclark71 on what device, ASA or FTD? On the ASA as default the interface ACLs are ignored. On the FTD you have to explictly permit traffic in the ACP. In your instance if traffic is never initated from remote network to inside, then you do not need to permit traffic as the FTD is stateful, the return traffic will automatically be permitted. However if communication is initated from remote network to inside, then you'd need an ACP rule to permit this traffic.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to keithcclark71

‎09-20-2022 03:52 AM

@keithcclark71 On the ASA, use "show conn detail" and check the flags of a connection - "I" is initiator data.

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-19-2022 08:43 AM

@keithcclark71 on what device, ASA or FTD? On the ASA as default the interface ACLs are ignored. On the FTD you have to explictly permit traffic in the ACP. In your instance if traffic is never initated from remote network to inside, then you do not need to permit traffic as the FTD is stateful, the return traffic will automatically be permitted. However if communication is initated from remote network to inside, then you'd need an ACP rule to permit this traffic.

Go to solution
keithcclark71
Level 3
Level 3
In response to Rob Ingram

‎09-19-2022 12:06 PM

Thanks Rob , 

The ASA I inherited has at least a hundred rules applied to the outside interface related to remote VPN subnets so whoever did this put in a lot of time for nothing. I was wondering why so many of these had 0 hit counts now it makes sense.

0 Helpful

Go to solution
Alan Inman
Level 1
Level 1

‎09-19-2022 12:43 PM

@Rob Ingram that is really good info. What is weird, I have an FTD running 30+ l2l tunnels, and only 3 of them have hit counts. The rest are "0" I jumped in the CLI, and many that show "0" also show the vendor being the initiator, not us. The tunnels work so not overly concerned, but now I'm wondering how they are working. 000796.png 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Alan Inman

‎09-20-2022 02:02 AM

@Alan Inman possibly a bug or traffic is matching another rule perhaps? From the CLI - run "system support firewall-engine-debug", match on the source or destination IP address of the vendor and determine what rule number the connection matches.

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to Alan Inman

‎09-20-2022 03:45 AM

How can you tell from the CLI who the initiator is?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to keithcclark71

‎09-20-2022 03:52 AM

@keithcclark71 On the ASA, use "show conn detail" and check the flags of a connection - "I" is initiator data.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card