Solved: Re: SITE TO SITE VPN WITH PIX.

V Kalsi · ‎01-18-2018

Hello ALL,
Need suggestion!!!!

My Goal-
Communication between R3 loopback interface and R1 using site to site VPN.
Everything is working fine but i have a doubt.

Below is configuration provide.

I have ACL created on PIX and on R3.

***PIX***
access-list 101 extended permit ip 10.11.11.0 255.255.255.0 10.11.20.0 255.255.255.0

***R3***
access-list 101 permit ip 10.11.20.0 0.0.0.255 10.11.11.0 0.0.0.255

With the ACL created on PIX i am able communicate in both ways from R3(lo1)--->R1 and R1-->R3(lo1).Now my doubt is how am i able to communicate from R3 to R1 though ACL created for only direction R1 to R3.

What i learnt till now we need ACL to allow traffic from outside to inside.

Please share your valuable thoughts.

Please let me know if anymore configuration details required.

Richard Burts · ‎01-18-2018

It is good to know that you have configured the site to site VPN and that it works. The answer to your question is fairly simple. When used for VPN the access list operates in a bidirectional manner. The ACL may be written for R1 to R3 but it recognizes and permits traffic R3 to R1 also.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎01-18-2018

It is good to know that you have configured the site to site VPN and that it works. The answer to your question is fairly simple. When used for VPN the access list operates in a bidirectional manner. The ACL may be written for R1 to R3 but it recognizes and permits traffic R3 to R1 also.

HTH

Rick

HTH

Rick

V Kalsi · ‎01-18-2018

Hello Richard,
Thank you very much I got your point.
I have one more query I tried to put ACL in reverse order but that did not work.could you please explain it why is it so?

access-list 101 extended permit ip 10.11.20.0 255.255.255.0 10.11.11.0 255.255.255.0

Richard Burts · ‎01-18-2018

You are welcome. I am glad that my explanation was helpful. I explained that the ACL acts bidirectional, which means that it identifies local traffic going to remote and also identifies remote traffic coming to local. When you tried this version of the ACL
access-list 101 extended permit ip 10.11.20.0 255.255.255.0 10.11.11.0 255.255.255.0

then it assumes that 10.11.20.0 are local addresses and 10.11.11.0 are remote but that is not the case is it?

HTH

Rick

HTH

Rick

V Kalsi · ‎01-19-2018

Hello Richard,
1.As you can see i am explicitly allowing traffic from outside to inside using ACL. So why it is not working?
2.I normal scenario that is how we allow traffic from outside to inside ,right?
3.Is there a exception when we use VPN?
access-list 101 extended permit ip 10.11.20.0 255.255.255.0 10.11.11.0 255.255.255.0

Richard Burts · ‎01-20-2018

In your original post you indicated that everything was working fine. Is that not the case?

In general you are correct that PIX and ASA require an access list to permit traffic initiated from outside to get to destinations inside. But there is, in fact, an exception to this for VPN traffic. If data is received from outside on a configured, authenticated, and active vpn then that traffic is allowed to inside destinations without requiring an ACL on the outside interface.

HTH

Rick

HTH

Rick

V Kalsi · ‎01-20-2018

Richard, Yes indeed my topology is working fine.

R1>>>>PIX<<<<<ISP(R2)<<<<<R3 (Lo0)

In originally post i put ACL from R1 to R3 (lo0) direction on PIX and it is working fine.
Then in previous post i changed my ACL direction from R3(lo0) to R1 and communication got terminated.

So you are saying there is an exception for ACL when allowing traffic from outside to inside while using VPN infrastructure?

Thanks in advance

Richard Burts · ‎01-21-2018

Perhaps we can answer this question by considering how access lists are used.

The most common use of access lists is to control what data is permitted and what is denied as data goes through an interface. On PIIX and ASA we apply an ACL to an interface to control the flow of data packets. When a normal packet comes from the Internet the PIX/ASA examines whether the packet is a response to something that was initiated inside or is permitted by an ACL or is received on a vpn connection. .So there is no need for ACL to permit receiving of vpn packets.

Another use of ACL is to identify what traffic from a local source to some remote destination will be encrypted by vpn. This is the use of ACL that you are asking about. It is applied bidirectionally (so you do not need one for in and another for out) and it must be consistent about which traffic is local and which traffic is remote. That is why it did not work when you reversed the entries.

HTH

Rick

HTH

Rick

V Kalsi · ‎01-23-2018

Thank you so much Richard.I got the point.

Richard Burts · ‎01-23-2018

You are welcome. I am glad that my explanations have been helpful.

HTH

Rick

HTH

Rick