02-07-2014 04:47 AM - edited 03-11-2019 08:42 PM
Hello,
I am new to Cisco Site to site VPN. I have deployed new site to site VPN. Request help to understand few concepts.
1). i need to understand the basic difference among Normal ACL, crypto ACL, ACL Manager.
2). If i want to pass my traffic through VPN rather than direct open internet, where exactly i should make ACL entry? is NAT Exempt mandatory?
3). If i make same ACL entry in Normal ACL rules and also in Crypto ACL rules, which one will be preffered for sending traffic?
4). what are the available commands on CLI for checking whether specified traffic is going through VPN or direct open internet? is there any what to verify the same on ASDM?
02-07-2014 05:12 AM
Hi,
I guess you are partly referring to the terms used in the ASDM Configuration section.
I dont personally use ASDM really all that much as I do most configurations through CLI so I might not be familiar with all the terms used on ASDM side.
Generally speaking the terms you mention mean the following
With regards to your second question,
The Crypto ACL that is used in the "crypto map" configuration tells the ASA what traffic needs to be forwarded through a VPN connection. You define source network/host and a destination network/host (or multiple of both) which tells the ASA what traffic to forward.
The NAT configuration is not that clear. Most of the time you will configure NAT0 as you might be connecting 2 offices together through the Internet with the help of L2L VPN. Then its natural to configure NAT0 so that your 2 LAN networks can directly communicate using their local IP addresses. In some cases you might on the other hand want to use a public IP address even through the L2L VPN connection. In this case you naturally would not configure NAT0 (unless you actually had a public IP address/subnet in your LAN network) but you would rather define that public IP address as the source in the Crypto ACL.
With regards to your third question,
These 2 different ACLs (if we are talking about interface ACLs and Crypto ACLs) dont really "compete" with each other. When traffic attempts to pass through the ASA the interface ACL is first check. Then the NAT is applied (depends if its configured or not) and after this the traffic is matched against the Crypto ACL.
So lets say you configured a L2L VPN and your aim was to have the LAN networks at both ends connect to eachother with their original IP addresses then you would need a NAT0 configuration to avoid NAT happening. You would also configure the actual local and remote network in the Crypto ACL. Now lets say you forgot to configure NAT0 then your traffic would probably match the Dynamic PAT for Internet traffic. And naturally when this NAT is applied the source address doesnt match the one in the Crypto ACL anymore so the traffic is NOT passed on to the L2L VPN but rather forwarded to the Internet.
With regards to your fourth question,
There are several things that we can check. Naturally you can check the L2L VPN configurations
You first check the Crypto Map configurations with
show run crypto map
Find the section for the correct L2L VPN connection on the basis of the peer IP address for example. (The lines related to one L2L VPN connection always have the same
Find the following looking CLI configuration line
crypto map
Then you can check what the ACL has configured with the command
show run access-list
This will tell you what traffic is supposed to be passed through the L2L VPN connection.
To confirm what would happen to a certain packet that is coming from the LAN through ASA towards some remote address you can use the "packet-tracer" command. This will show a VPN Phase if it matches some VPN configuration.
Example commands could be
packet-tracer input inside tcp
packet-tracer input inside udp
packet-tracer input inside icmp
The above are the example commands for some TCP/UDP or ICMP test. The source interface in this case is "inside" where the connecting host would be located at. In your ASA the interface might have a different name,
The Packet Tracer is also available through the ASDM in its top menus.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide