Re: ASA VLANS through VPN

ztiram · ‎06-11-2024

Hello everyone,

I am encountering an issue with my ASA 5515X running ASA Version 9.1(2) where traffic from devices in VLAN 99 cannot communicate with an external network (specifically 10.0.0.0/8).

Here is an overview of my network configuration:

ASA Configuration:
Interfaces and VLANs:

interface Port-channel1.99
vlan 99
nameif vlan99
security-level 0
ip address 172.16.99.1 255.255.255.0

Access Lists:
access-list vlan99_access_in extended permit ip any any
access-list acl-amzn extended permit ip any4 any4
access-list amzn-filter extended permit ip any4 any4

Crypto Map:
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map interface outside

Routes:
route outside 0.0.0.0 0.0.0.0 PUBLIC_DCIPADDR 1
Problem Description:
I have servers on VLAN 99 behind an esx tagged on vlan 99 with IP addresses such as 172.16.99.21 and 172.16.99.50. These servers need to communicate with an external server at 10.24.10.254. Despite having configured the access lists to permit all traffic, I am seeing deny logs for ICMP and UDP traffic from these VLAN 99 addresses to the external server.

Log Entries:
Here are some relevant log entries:

Deny inbound icmp src vlan99:172.16.99.50 dst outside:10.24.10.254 (type 8, code 0)
Deny inbound UDP from 172.16.99.110/59385 to 10.24.10.254/53 due to DNS Query

Configuration Details
ACL vlan99_access_in is applied to the vlan99 interface and allows all IP traffic:

access-list vlan99_access_in extended permit ip any any
ACL acl-amzn used for VPN matches all traffic:

access-list acl-amzn extended permit ip any4 any4
Group Policy VPN Filter uses the ACL amzn-filter which also allows all traffic:

access-list amzn-filter extended permit ip any4 any4

Actions Taken were
Verified that vlan99_access_in allows all IP traffic.
Ensured that acl-amzn and amzn-filter permit all traffic.
Checked that the crypto map is correctly applied to the outside interface.
Temporarily disabled protocol inspections in the global policy to rule out inspection issues.

Current Configuration :

access-list vlan99_access_in extended permit ip any any
access-group vlan99_access_in in interface vlan99

access-list acl-amzn extended permit ip any4 any4
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map interface outside

access-list amzn-filter extended permit ip any4 any4

policy-map global_policy
class inspection_default
no inspect icmp
no inspect udp
Despite these configurations, the traffic is still being blocked. I suspect there might be an issue with the VPN configuration or some other aspect that I'm missing.

Request for Help:
I would appreciate any guidance or suggestions on what might be causing these blocks and how to resolve them. Specifically, how can I ensure that traffic from VLAN 99 (172.16.99.0/24) can reach the external network (10.0.0.0/8)?

Thank you in advance for your assistance!

I attached configurations from my switches and firewall and anonymised it

Actually i have 2 other Dell switches linked to my Cisco switches with esxi linked to them on vlan2 (inside subinterface) and they are communicating well with the S2S tunnel.

MHM Cisco World · ‎06-11-2024

Crypto map ACL permit IP any any ?

That I think not work

You need to specify the prefix allow and then you can use permit ip any any as vpn filter.

MHM

MHM Cisco World · ‎06-12-2024

what is the Prefix you want to protect via IPSec
what is the IP you want to permit or deny via VPN filter

MHM

Georg Pauwen · ‎06-12-2024

Hello,

make the changes marked in bold:

ASA Version 9.1(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Port-channel1.2
vlan 2
nameif inside
security-level 100
ip address 172.16.4.1 255.255.254.0
!
interface Port-channel1.10
vlan 10
nameif vlan10
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Port-channel1.20
vlan 20
nameif vlan20
security-level 50
ip address 172.16.20.1 255.255.254.0
!
interface Port-channel1.99
vlan 99
nameif vlan99
security-level 0
ip address 172.16.99.1 255.255.255.0
!
interface Port-channel1.150
vlan 150
nameif vmotion
security-level 50
ip address 172.16.150.1 255.255.255.0
!
interface Port-channel2
nameif outside
security-level 0
ip address Public_IPADDR 255.255.255.224
!
ftp mode passive

--> object network net-10.0.0.0
subnet 10.0.0.0 255.0.0.0

object network OriginalServer
host 10.0.0.133
object network RedirectedServer
host 10.0.0.101
object network net-172.16.20.0
subnet 172.16.20.0 255.255.254.0
object network net-172.16.10.0
subnet 172.16.10.0 255.255.255.0
object network net-172.16.99.0
subnet 172.16.99.0 255.255.255.0
object network net-172.16.150.0
subnet 172.16.150.0 255.255.255.0
access-list outside_access_in extended permit ip host Public_IPADDR host Public_IPADDR
access-list outside_access_in extended permit ip host Public_IPADDR host Public_IPADDR
access-list outside_access_in extended permit tcp any object OriginalServer eq 3128
--> access-list acl-amzn-vpn extended permit ip object net-172.16.99.0 object net-10.0.0.0

access-list acl-amzn extended permit ip any4 10.0.0.0 255.0.0.0
access-list acl-amzn extended permit ip any4 any4
access-list acl-amzn extended permit ip 172.16.4.0 255.255.254.0 any
access-list acl-amzn extended permit ip 172.16.20.0 255.255.254.0 any
access-list acl-amzn extended permit ip 172.16.10.0 255.255.255.0 any
access-list acl-amzn extended permit ip 172.16.99.0 255.255.255.0 any
access-list acl-amzn extended permit ip 172.16.150.0 255.255.255.0 any
access-list acl-amzn extended permit icmp 172.16.99.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl-amzn extended permit ip any any
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.4.0 255.255.254.0
access-list amzn-filter extended permit ip any4 any4
access-list amzn-filter extended permit icmp any4 any4
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.99.0 255.255.255.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.20.0 255.255.254.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.150.0 255.255.255.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp host 172.16.4.49 host 172.16.4.1 eq snmp
access-list inside_access_in extended permit ip host 172.16.5.102 host 172.16.99.50
access-list inside_access_in extended permit ip host 172.16.5.102 host 172.16.4.1
access-list inside_access_in extended permit icmp host 172.16.99.50 host 10.24.10.254 echo
access-list vlan10_access_in extended permit ip any any
access-list vlan20_access_in extended permit ip any any
access-list vlan99_access_in extended permit ip any any
access-list vlan99_access_in extended permit icmp host 172.16.99.50 host 10.24.10.254 echo
access-list vmotion_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan99 1500
mtu vmotion 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network RedirectedServer
nat (outside,inside) static OriginalServer service tcp 3128 3128
access-group inside_access_in in interface inside
access-group inside_access_in in interface vlan10
access-group inside_access_in in interface vlan20
access-group vlan99_access_in in interface vlan99
access-group vmotion_access_in in interface vmotion
route outside 0.0.0.0 0.0.0.0 Public_IPADDR 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
snmp-server host inside 172.16.4.49 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 10.0.0.59 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
--> crypto map amzn_vpn_map 1 match address acl-amzn-vpn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer Public_IPADDR Public_IPADDR
crypto map amzn_vpn_map 1 set