Solved: Transparent Mode firewall denying ESP packets inbound

allensurface · ‎11-23-2010

I configured a transparent firewall and found problems of not being able to ping devices reachable via the tunnel when forming a VPN connection from my laptop out to another firewall, while looking at the log view on the transparent firewall, I noticed that it said that it was denying ESP packets inbound on the outside interface. I wound up enabling ESP inbound on the outside to fix this, but would like to know if that is the nature of the transparent firewall. I thought that is should know how to handle the ESP packets, but it wasn't.

Thanks,

Maykol Rojas · ‎11-23-2010

Hello

You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following

"You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance."

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.

Cheers.

Mike

View solution in original post

Maykol Rojas · ‎11-23-2010

Hello Allen,

Eventhough this firewall is on Transparent, security levels and all that stuff still apply. I will suggest you to place an ACL permitting the ESP packets from outside to inside and try it again

Cheers.

Mike

allensurface · ‎11-23-2010

MIke, thanks, that is exactly what I did to get this working. My question is, is this best practice? I can't seem to find any documentation regarding this, I thought the ASA would inspect the traffic coming from inside->outside (stateful) and I shuldn't need to alloq ESP in from the outside. I have always worked with routed mode on the ASA's so I just want to make sure I am configuring this correctly.

Thanks,

allensurface · ‎11-23-2010

MIke, one other note, I enabled IPSEC pack inspection and it still didn't work.

inspect ipsec-pass-thru

To enable IPSec Pass Thru inspection, use the inspect ipsec-pass-thru command in class map configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.

inspect ipsec-pass-thru [map_name]

no inspect ipsec-pass-thru [map_name]

Syntax Description


map_name	(Optional) The name of the IPSec Pass Thru map.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
	Routed	Transparent	Single	Context	System
Class configuration	•	•	•	•	—

Command History


Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The inspect ipsec-pass-thru command enables or disables application inspection. IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and/or AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections.

Use the IPSec Pass Through parameter map to identify a specific map to use for defining the parameters for the inspection. Use the policy-map type inspect command to access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout in parameters configuration.

Use class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces. The parameter map defined is enabled when used with the inspect IPSec-pass-thru command.

NAT and non-NAT traffic is permitted. However, PAT is not supported.

Note In ASA 7.0, the inspect ipsec-pass-thru command allowed only ESP traffic to pass through. To retain the same behavior in later versions, a default map that permits ESP is created and attached if the inspect ipsec-pass-thru command is specified without any arguments. This map can be seen in the output of the show running-config all command.

Examples

The following example shows how to use access lists to identify IKE traffic, define an IPSec Pass Thru parameter map, define a policy, and apply the policy to the outside interface:

hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500

hostname(config)# class-map ipsecpassthru-traffic

hostname(config-cmap)# match access-list ipsecpassthruacl

hostname(config)# policy-map type inspect ipsec-pass-thru iptmap

hostname(config-pmap)# parameters

hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00

hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00

hostname(config)# policy-map inspection_policy

hostname(config-pmap)# class ipsecpassthru-traffic

hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap

hostname(config)# service-policy inspection_policy interface outside

Maykol Rojas · ‎11-23-2010

Hello

You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following

"You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance."

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.

Cheers.

Mike

allensurface · ‎11-23-2010

Thanks!!

Maykol Rojas · ‎11-23-2010

Hey..

Thank you for rating...

Cheers.

Mike