11-23-2010
04:34 AM
- last edited on
03-25-2019
05:45 PM
by
ciscomoderator
I configured a transparent firewall and found problems of not being able to ping devices reachable via the tunnel when forming a VPN connection from my laptop out to another firewall, while looking at the log view on the transparent firewall, I noticed that it said that it was denying ESP packets inbound on the outside interface. I wound up enabling ESP inbound on the outside to fix this, but would like to know if that is the nature of the transparent firewall. I thought that is should know how to handle the ESP packets, but it wasn't.
Thanks,
Solved! Go to Solution.
11-23-2010 08:49 AM
Hello
You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following
"You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance."
ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.
Cheers.
Mike
11-23-2010 04:59 AM
Hello Allen,
Eventhough this firewall is on Transparent, security levels and all that stuff still apply. I will suggest you to place an ACL permitting the ESP packets from outside to inside and try it again
Cheers.
Mike
11-23-2010 08:25 AM
MIke, thanks, that is exactly what I did to get this working. My question is, is this best practice? I can't seem to find any documentation regarding this, I thought the ASA would inspect the traffic coming from inside->outside (stateful) and I shuldn't need to alloq ESP in from the outside. I have always worked with routed mode on the ASA's so I just want to make sure I am configuring this correctly.
Thanks,
11-23-2010 08:39 AM
MIke, one other note, I enabled IPSEC pack inspection and it still didn't work.
To enable IPSec Pass Thru inspection, use the inspect ipsec-pass-thru command in class map configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ipsec-pass-thru [map_name]
no inspect ipsec-pass-thru [map_name]
This command is disabled by default.
The following table shows the modes in which you can enter the command:
Command Mode | Firewall Mode | Security Context | |||
---|---|---|---|---|---|
Routed | Transparent | Single | Multiple | ||
Context | System | ||||
Class configuration | • | • | • | • | — |
The inspect ipsec-pass-thru command enables or disables application inspection. IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and/or AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections.
Use the IPSec Pass Through parameter map to identify a specific map to use for defining the parameters for the inspection. Use the policy-map type inspect command to access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout in parameters configuration.
Use class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces. The parameter map defined is enabled when used with the inspect IPSec-pass-thru command.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
Note In ASA 7.0, the inspect ipsec-pass-thru command allowed only ESP traffic to pass through. To retain the same behavior in later versions, a default map that permits ESP is created and attached if the inspect ipsec-pass-thru command is specified without any arguments. This map can be seen in the output of the show running-config all command.
The following example shows how to use access lists to identify IKE traffic, define an IPSec Pass Thru parameter map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
hostname(config)# policy-map inspection_policy
hostname(config-pmap)# class ipsecpassthru-traffic
hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
hostname(config)# service-policy inspection_policy interface outside
11-23-2010 08:49 AM
Hello
You are totally right, implementing this is a little bit different from the routed mode. Take a look at the following
"You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance."
ESP is portless protocol and IP protocol 50, so it definetly will need an ACL to allow the traffic to go through. Dont worry, this is a common practice and it wont open any security breach.
Cheers.
Mike
11-23-2010 08:52 AM
Thanks!!
11-23-2010 08:55 AM
Hey..
Thank you for rating...
Cheers.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide