02-03-2021 02:17 PM
Hi there,
I manage a ASA 5545-X (9.2something)
There are a few VPN tunnels configured, they work fine. But when I try to put lines in the WAN_in ACL, to only allow certain peers to setup a tunnel, it does'n seem to work; anyone can try to establish an VPN tunnel.
What am I overlooking?
Solved! Go to Solution.
02-04-2021 08:11 AM
As long as you recognize that they are superfluous and are doing it as a double check that is fine. As long as you are configuring specific peer addresses for vpn then even if someone did learn the local and remote key they would not be able to set up a vpn from a different source address.
02-03-2021 02:42 PM
Hello,
post the running configuration of the ASA. What VPN tunnels (site to site VPNs/remote access VPNs) ?
02-03-2021 02:52 PM
Do you need the WHOLE thing, cuz there are some IP ranges from customers and such, or do you need specific parts?
02-03-2021 02:56 PM
Site-2site VPN's (7 in total)
No Remote Access
No AnyConnect
02-03-2021 02:58 PM
Result of the command: "sh access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list WAN_access_in_1; 91 elements; name hash: 0x1f4e93bb
access-list WAN_access_in_1 line 1 extended deny ip object-group BLACKLIST-WANv4 any4 (hitcnt=329) 0xe07b7f5e
access-list WAN_access_in_1 line 1 extended deny ip host 62.210.250.158 any4 (hitcnt=0) 0x5cb47a35
access-list WAN_access_in_1 line 1 extended deny ip host 188.138.102.34 any4 (hitcnt=0) 0xbd20730f
access-list WAN_access_in_1 line 1 extended deny ip host 197.45.26.3 any4 (hitcnt=0) 0x5d9f7f0a
access-list WAN_access_in_1 line 1 extended deny ip host 197.44.86.226 any4 (hitcnt=0) 0xded33813
access-list WAN_access_in_1 line 1 extended deny ip host 222.186.21.0 any4 (hitcnt=0) 0xfc030cce
access-list WAN_access_in_1 line 1 extended deny ip host 222.186.160.0 any4 (hitcnt=0) 0xac9fab14
access-list WAN_access_in_1 line 1 extended deny ip host 58.218.204.0 any4 (hitcnt=0) 0xa58ff1ea
access-list WAN_access_in_1 line 1 extended deny ip host 46.17.97.7 any4 (hitcnt=0) 0x829b6051
access-list WAN_access_in_1 line 1 extended deny ip host 46.17.97.5 any4 (hitcnt=0) 0xe45b8d62
access-list WAN_access_in_1 line 1 extended deny ip host 5.39.218.66 any4 (hitcnt=0) 0x052a45f8
access-list WAN_access_in_1 line 1 extended deny ip host 195.134.171.102 any4 (hitcnt=0) 0x32e6730e
access-list WAN_access_in_1 line 1 extended deny ip 216.218.206.0 255.255.255.0 any4 (hitcnt=329) 0x4f6df64c
access-list WAN_access_in_1 line 2 extended deny icmp object-group BLACKLIST-WANv4 any4 (hitcnt=0) 0x3e7b623e
access-list WAN_access_in_1 line 2 extended deny icmp host 62.210.250.158 any4 (hitcnt=0) 0x6288bc2a
access-list WAN_access_in_1 line 2 extended deny icmp host 188.138.102.34 any4 (hitcnt=0) 0x897d84e0
access-list WAN_access_in_1 line 2 extended deny icmp host 197.45.26.3 any4 (hitcnt=0) 0xe7465c95
access-list WAN_access_in_1 line 2 extended deny icmp host 197.44.86.226 any4 (hitcnt=0) 0x8328f6d3
access-list WAN_access_in_1 line 2 extended deny icmp host 222.186.21.0 any4 (hitcnt=0) 0x608d7370
access-list WAN_access_in_1 line 2 extended deny icmp host 222.186.160.0 any4 (hitcnt=0) 0x0361b67e
access-list WAN_access_in_1 line 2 extended deny icmp host 58.218.204.0 any4 (hitcnt=0) 0x930ac3f8
access-list WAN_access_in_1 line 2 extended deny icmp host 46.17.97.7 any4 (hitcnt=0) 0xb786b460
access-list WAN_access_in_1 line 2 extended deny icmp host 46.17.97.5 any4 (hitcnt=0) 0xebe83b25
access-list WAN_access_in_1 line 2 extended deny icmp host 5.39.218.66 any4 (hitcnt=0) 0x3169c5ac
access-list WAN_access_in_1 line 2 extended deny icmp host 195.134.171.102 any4 (hitcnt=0) 0x951c654c
access-list WAN_access_in_1 line 2 extended deny icmp 216.218.206.0 255.255.255.0 any4 (hitcnt=0) 0xb9846a0c
access-list WAN_access_in_1 line 3 extended deny esp object-group BLACKLIST-WANv4 any4 (hitcnt=0) 0x5f460e47
access-list WAN_access_in_1 line 3 extended deny esp host 62.210.250.158 any4 (hitcnt=0) 0xdf7276ae
access-list WAN_access_in_1 line 3 extended deny esp host 188.138.102.34 any4 (hitcnt=0) 0xfc5200aa
access-list WAN_access_in_1 line 3 extended deny esp host 197.45.26.3 any4 (hitcnt=0) 0x59929f9b
access-list WAN_access_in_1 line 3 extended deny esp host 197.44.86.226 any4 (hitcnt=0) 0x23dc7814
access-list WAN_access_in_1 line 3 extended deny esp host 222.186.21.0 any4 (hitcnt=0) 0x640e363f
access-list WAN_access_in_1 line 3 extended deny esp host 222.186.160.0 any4 (hitcnt=0) 0x97f0b08e
access-list WAN_access_in_1 line 3 extended deny esp host 58.218.204.0 any4 (hitcnt=0) 0x604074a4
access-list WAN_access_in_1 line 3 extended deny esp host 46.17.97.7 any4 (hitcnt=0) 0x9b058850
access-list WAN_access_in_1 line 3 extended deny esp host 46.17.97.5 any4 (hitcnt=0) 0xa126ea5d
access-list WAN_access_in_1 line 3 extended deny esp host 5.39.218.66 any4 (hitcnt=0) 0x1cc59952
access-list WAN_access_in_1 line 3 extended deny esp host 195.134.171.102 any4 (hitcnt=0) 0xbf0e72f5
access-list WAN_access_in_1 line 3 extended deny esp 216.218.206.0 255.255.255.0 any4 (hitcnt=0) 0x58a877d3
access-list WAN_access_in_1 line 4 extended deny udp object-group BLACKLIST-WANv4 any4 eq isakmp (hitcnt=0) 0xd37a56c2
access-list WAN_access_in_1 line 4 extended deny udp host 62.210.250.158 any4 eq isakmp (hitcnt=0) 0xf1d65c76
access-list WAN_access_in_1 line 4 extended deny udp host 188.138.102.34 any4 eq isakmp (hitcnt=0) 0x335316b9
access-list WAN_access_in_1 line 4 extended deny udp host 197.45.26.3 any4 eq isakmp (hitcnt=0) 0xffa3dac3
access-list WAN_access_in_1 line 4 extended deny udp host 197.44.86.226 any4 eq isakmp (hitcnt=0) 0xc10545c0
access-list WAN_access_in_1 line 4 extended deny udp host 222.186.21.0 any4 eq isakmp (hitcnt=0) 0xba465298
access-list WAN_access_in_1 line 4 extended deny udp host 222.186.160.0 any4 eq isakmp (hitcnt=0) 0xbf86b1b8
access-list WAN_access_in_1 line 4 extended deny udp host 58.218.204.0 any4 eq isakmp (hitcnt=0) 0x5f3e1a53
access-list WAN_access_in_1 line 4 extended deny udp host 46.17.97.7 any4 eq isakmp (hitcnt=0) 0xc2b44a14
access-list WAN_access_in_1 line 4 extended deny udp host 46.17.97.5 any4 eq isakmp (hitcnt=0) 0xfe519d1a
access-list WAN_access_in_1 line 4 extended deny udp host 5.39.218.66 any4 eq isakmp (hitcnt=0) 0x67d451d1
access-list WAN_access_in_1 line 4 extended deny udp host 195.134.171.102 any4 eq isakmp (hitcnt=0) 0x94483093
access-list WAN_access_in_1 line 4 extended deny udp 216.218.206.0 255.255.255.0 any4 eq isakmp (hitcnt=0) 0x0818897d
access-list WAN_access_in_1 line 5 extended permit icmp any4 any4 echo-reply (hitcnt=192888) 0xa773ba2c
access-list WAN_access_in_1 line 6 extended permit icmp any4 any4 echo (hitcnt=564430) 0x03972f34
access-list WAN_access_in_1 line 7 extended permit icmp any4 any4 unreachable (hitcnt=341817) 0x0e1ffd0a
access-list WAN_access_in_1 line 8 extended permit icmp any4 any4 source-quench (hitcnt=0) 0x10100210
access-list WAN_access_in_1 line 9 extended permit icmp any4 any4 time-exceeded (hitcnt=14769877) 0x84153fd9
access-list WAN_access_in_1 line 10 extended deny icmp any4 any4 (hitcnt=0) 0x8cb8bb0c
access-list WAN_access_in_1 line 11 extended permit esp object-group DC-VPN-PEERS any4 (hitcnt=0) 0xacb78a56
access-list WAN_access_in_1 line 11 extended permit esp host 217.100.50.82 any4 (hitcnt=0) 0x3cc49c4d
access-list WAN_access_in_1 line 11 extended permit esp host 213.124.7.58 any4 (hitcnt=0) 0xa1fe051f
access-list WAN_access_in_1 line 11 extended permit esp host 213.125.123.98 any4 (hitcnt=0) 0xc5942f82
access-list WAN_access_in_1 line 11 extended permit esp host 213.125.123.114 any4 (hitcnt=0) 0x85df77b5
access-list WAN_access_in_1 line 11 extended permit esp host 92.65.106.71 any4 (hitcnt=0) 0x698b12e9
access-list WAN_access_in_1 line 11 extended permit esp host 188.201.146.120 any4 (hitcnt=0) 0x4c1f2fcd
access-list WAN_access_in_1 line 11 extended permit esp host 213.125.45.130 any4 (hitcnt=0) 0x4c36f58b
access-list WAN_access_in_1 line 11 extended permit esp host 188.204.153.186 any4 (hitcnt=0) 0x58e8867d
access-list WAN_access_in_1 line 11 extended permit esp host 213.144.242.183 any4 (hitcnt=0) 0x587f95be
access-list WAN_access_in_1 line 12 extended permit udp object-group DC-VPN-PEERS any4 object-group DC-VPN-UDP (hitcnt=0) 0xded87cca
access-list WAN_access_in_1 line 12 extended permit udp host 217.100.50.82 any4 eq 4500 (hitcnt=0) 0x092d5865
access-list WAN_access_in_1 line 12 extended permit udp host 217.100.50.82 any4 eq isakmp (hitcnt=0) 0x6b258aca
access-list WAN_access_in_1 line 12 extended permit udp host 213.124.7.58 any4 eq 4500 (hitcnt=0) 0xd05cc3ca
access-list WAN_access_in_1 line 12 extended permit udp host 213.124.7.58 any4 eq isakmp (hitcnt=0) 0xee804593
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.123.98 any4 eq 4500 (hitcnt=0) 0x92a3c978
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.123.98 any4 eq isakmp (hitcnt=0) 0x3855a0dd
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.123.114 any4 eq 4500 (hitcnt=0) 0xc9ae419a
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.123.114 any4 eq isakmp (hitcnt=0) 0x66dbfdf6
access-list WAN_access_in_1 line 12 extended permit udp host 92.65.106.71 any4 eq 4500 (hitcnt=0) 0x27dd45a9
access-list WAN_access_in_1 line 12 extended permit udp host 92.65.106.71 any4 eq isakmp (hitcnt=0) 0x7fcf61e2
access-list WAN_access_in_1 line 12 extended permit udp host 188.201.146.120 any4 eq 4500 (hitcnt=0) 0x09f301cc
access-list WAN_access_in_1 line 12 extended permit udp host 188.201.146.120 any4 eq isakmp (hitcnt=0) 0x5ab08d32
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.45.130 any4 eq 4500 (hitcnt=0) 0xffbcb784
access-list WAN_access_in_1 line 12 extended permit udp host 213.125.45.130 any4 eq isakmp (hitcnt=0) 0xf0d0f3ae
access-list WAN_access_in_1 line 12 extended permit udp host 188.204.153.186 any4 eq 4500 (hitcnt=0) 0xae6c0420
access-list WAN_access_in_1 line 12 extended permit udp host 188.204.153.186 any4 eq isakmp (hitcnt=0) 0x28ba7f09
access-list WAN_access_in_1 line 12 extended permit udp host 213.144.242.183 any4 eq 4500 (hitcnt=0) 0xab57c75a
access-list WAN_access_in_1 line 12 extended permit udp host 213.144.242.183 any4 eq isakmp (hitcnt=0) 0x1311ab67
access-list WAN_access_in_1 line 13 extended permit tcp any4 object A22000NT0121_LANv4-PAT-HTTPS eq https (hitcnt=25177) 0xbd9b1755
access-list WAN_access_in_1 line 13 extended permit tcp any4 host 10.72.41.21 eq https (hitcnt=25177) 0xbd9b1755
access-list WAN_access_in_1 line 14 extended deny object-group TCPUDP any4 object A22000NT0121_LANv4-PAT-HTTPS (hitcnt=1707144) 0xbeaa1fd0
access-list WAN_access_in_1 line 14 extended deny udp any4 host 10.72.41.21 (hitcnt=1707144) 0xc65deeda
access-list WAN_access_in_1 line 14 extended deny tcp any4 host 10.72.41.21 (hitcnt=688776) 0x731ce69d
access-list WAN_access_in_1 line 15 extended permit tcp any4 object A24626NT0221_LANv4 eq https (hitcnt=288791) 0x295bb402
access-list WAN_access_in_1 line 15 extended permit tcp any4 host 10.201.11.221 eq https (hitcnt=288791) 0x295bb402
access-list WAN_access_in_1 line 16 extended permit udp any4 object A24626NT0221_LANv4 eq 3391 (hitcnt=41571) 0x4c555cf5
access-list WAN_access_in_1 line 16 extended permit udp any4 host 10.201.11.221 eq 3391 (hitcnt=41571) 0x4c555cf5
access-list WAN_access_in_1 line 17 extended permit tcp any4 object A24626RDG eq https (hitcnt=0) 0x5238037b
access-list WAN_access_in_1 line 17 extended permit tcp any4 host 10.201.11.242 eq https (hitcnt=0) 0x5238037b
access-list WAN_access_in_1 line 18 extended permit udp any4 object A24626RDG eq 3391 (hitcnt=0) 0x710d1879
access-list WAN_access_in_1 line 18 extended permit udp any4 host 10.201.11.242 eq 3391 (hitcnt=0) 0x710d1879
access-list WAN_access_in_1 line 19 extended permit tcp any4 any4 (hitcnt=4668229) 0xe4ba155f
access-list WAN_access_in_1 line 20 extended permit udp any4 any4 (hitcnt=2247392) 0x2da571ca
access-list WAN_access_in_1 line 21 extended deny ip any4 any4 (hitcnt=1) 0x70b0794e
access-list WAN_cryptomap; 24 elements; name hash: 0xe660a31e
access-list WAN_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 (hitcnt=217334) 0x1fdadd76
access-list WAN_cryptomap line 1 extended permit ip 10.12.12.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xb6beff78
access-list WAN_cryptomap line 1 extended permit ip 10.12.12.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=1399) 0xaf461c8a
access-list WAN_cryptomap line 1 extended permit ip 10.72.41.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x641b1fba
access-list WAN_cryptomap line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=225931) 0x8f97ff94
access-list WAN_cryptomap line 1 extended permit ip 10.201.11.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x92b734fc
access-list WAN_cryptomap line 1 extended permit ip 10.201.11.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=1375) 0x54271c41
access-list WAN_cryptomap line 1 extended permit ip 10.72.65.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x2ffc05f8
access-list WAN_cryptomap line 1 extended permit ip 10.72.65.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=14846) 0xcf334a48
access-list WAN_cryptomap line 1 extended permit ip 172.31.255.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x205a31bc
access-list WAN_cryptomap line 1 extended permit ip 172.31.255.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=8) 0xf32f41fc
access-list WAN_cryptomap line 1 extended permit ip 10.72.38.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xbb1a8dbc
access-list WAN_cryptomap line 1 extended permit ip 10.72.38.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=0) 0x85d89e4c
access-list WAN_cryptomap line 1 extended permit ip 10.72.20.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xa2a87760
access-list WAN_cryptomap line 1 extended permit ip 10.72.20.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=4664) 0x2342f09b
access-list WAN_cryptomap line 1 extended permit ip 10.72.80.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xf8e91610
access-list WAN_cryptomap line 1 extended permit ip 10.72.80.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=210) 0x4c9e3fd9
access-list WAN_cryptomap line 1 extended permit ip 10.72.100.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xd523fad2
access-list WAN_cryptomap line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=1706) 0x65657a35
access-list WAN_cryptomap line 1 extended permit ip 192.168.0.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0xd6fb760f
access-list WAN_cryptomap line 1 extended permit ip 192.168.0.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=84) 0x84a3e65a
access-list WAN_cryptomap line 1 extended permit ip 10.0.0.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x68ca7e4d
access-list WAN_cryptomap line 1 extended permit ip 10.0.0.0 255.255.255.0 10.72.39.0 255.255.255.0 (hitcnt=5679) 0x0d491309
access-list WAN_cryptomap line 1 extended permit ip 172.31.161.248 255.255.255.248 10.11.11.0 255.255.255.0 (hitcnt=0) 0x8e68ee15
access-list WAN_cryptomap line 1 extended permit ip 172.31.161.248 255.255.255.248 10.72.39.0 255.255.255.0 (hitcnt=0) 0x36fea601
access-list WAN_access_in; 16 elements; name hash: 0x487df3ba
access-list WAN_access_in line 1 extended deny ip object-group BLACKLIST-WANv4 any4 (hitcnt=0) 0x7257f839
access-list WAN_access_in line 1 extended deny ip host 62.210.250.158 any4 (hitcnt=0) 0x333a42b0
access-list WAN_access_in line 1 extended deny ip host 188.138.102.34 any4 (hitcnt=0) 0xba823ba1
access-list WAN_access_in line 1 extended deny ip host 197.45.26.3 any4 (hitcnt=0) 0xe1e18aad
access-list WAN_access_in line 1 extended deny ip host 197.44.86.226 any4 (hitcnt=0) 0xd972cce3
access-list WAN_access_in line 1 extended deny ip host 222.186.21.0 any4 (hitcnt=0) 0xdac7edee
access-list WAN_access_in line 1 extended deny ip host 222.186.160.0 any4 (hitcnt=0) 0x68e900c1
access-list WAN_access_in line 1 extended deny ip host 58.218.204.0 any4 (hitcnt=0) 0xf8a8ec69
access-list WAN_access_in line 1 extended deny ip host 46.17.97.7 any4 (hitcnt=0) 0x89ecddf1
access-list WAN_access_in line 1 extended deny ip host 46.17.97.5 any4 (hitcnt=0) 0xc0e3afbf
access-list WAN_access_in line 1 extended deny ip host 5.39.218.66 any4 (hitcnt=0) 0x0c773ea8
access-list WAN_access_in line 1 extended deny ip host 195.134.171.102 any4 (hitcnt=0) 0x555c7eb4
access-list WAN_access_in line 1 extended deny ip 216.218.206.0 255.255.255.0 any4 (hitcnt=0) 0x487810ef
access-list WAN_access_in line 2 extended permit ip any4 object-group DM_INLINE_NETWORK_5 (hitcnt=0) 0x1e84fb49
access-list WAN_access_in line 2 extended permit ip any4 10.12.12.0 255.255.255.0 (hitcnt=0) 0x426992af
access-list WAN_access_in line 2 extended permit ip any4 10.201.11.0 255.255.255.0 (hitcnt=0) 0xe79e286f
access-list WAN_access_in line 2 extended permit ip any4 10.72.41.0 255.255.255.0 (hitcnt=0) 0xa28aa0ee
access-list WAN_access_in line 3 extended permit ip any any (hitcnt=0) 0x00db9f04
access-list netflow-export; 1 elements; name hash: 0xb99f2324
access-list netflow-export line 1 extended permit ip any any (hitcnt=67575658) 0x1e5d5025
access-list WAN_cryptomap_9; 10 elements; name hash: 0xa4b549f2
access-list WAN_cryptomap_9 line 1 extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_19 (hitcnt=12) 0xe84c6be8
access-list WAN_cryptomap_9 line 1 extended permit ip 10.12.12.0 255.255.255.0 10.100.100.0 255.255.255.0 (hitcnt=8) 0x4fff0b4a
access-list WAN_cryptomap_9 line 1 extended permit ip 10.12.12.0 255.255.255.0 host 10.72.41.25 (hitcnt=0) 0xfd0db236
access-list WAN_cryptomap_9 line 1 extended permit ip 10.201.11.0 255.255.255.0 10.100.100.0 255.255.255.0 (hitcnt=44) 0xa48db465
access-list WAN_cryptomap_9 line 1 extended permit ip 10.201.11.0 255.255.255.0 host 10.72.41.25 (hitcnt=0) 0xa3d82a09
access-list WAN_cryptomap_9 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.100.100.0 255.255.255.0 (hitcnt=42) 0x51433a2b
access-list WAN_cryptomap_9 line 1 extended permit ip 10.72.41.0 255.255.255.0 host 10.72.41.25 (hitcnt=10) 0x3e50cadc
access-list WAN_cryptomap_9 line 1 extended permit ip 10.72.39.0 255.255.255.0 10.100.100.0 255.255.255.0 (hitcnt=0) 0x6b22343d
access-list WAN_cryptomap_9 line 1 extended permit ip 10.72.39.0 255.255.255.0 host 10.72.41.25 (hitcnt=0) 0xbe35294e
access-list WAN_cryptomap_9 line 1 extended permit ip host 10.72.41.196 10.100.100.0 255.255.255.0 (hitcnt=0) 0xf813ea7c
access-list WAN_cryptomap_9 line 1 extended permit ip host 10.72.41.196 host 10.72.41.25 (hitcnt=0) 0x48e7840b
access-list VoIPlan_access_in; 2 elements; name hash: 0xaa23fc30
access-list VoIPlan_access_in line 1 extended permit icmp any any (hitcnt=0) 0xa56a9b2b
access-list VoIPlan_access_in line 2 extended permit ip any any (hitcnt=0) 0x64445721
access-list LAN_access_in; 2 elements; name hash: 0x65d67a09
access-list LAN_access_in line 1 extended permit icmp any4 any4 (hitcnt=1789810) 0x1020a6cd
access-list LAN_access_in line 2 extended permit ip any4 any4 (hitcnt=22224293) 0x234aa19d
access-list LAN_access_in_1; 2 elements; name hash: 0xe7a18e70
access-list LAN_access_in_1 line 1 extended permit ip object DC-LAN any (hitcnt=8415230) 0x32f598bc
access-list LAN_access_in_1 line 1 extended permit ip 10.72.41.0 255.255.255.0 any (hitcnt=8415230) 0x32f598bc
access-list LAN_access_in_1 line 2 extended permit ip object HQ-LAN any (hitcnt=0) 0x02b056b7
access-list LAN_access_in_1 line 2 extended permit ip 10.72.39.0 255.255.255.0 any (hitcnt=0) 0x02b056b7
access-list WAN_cryptomap_1; 2 elements; name hash: 0x848055c3
access-list WAN_cryptomap_1 line 1 extended permit ip object-group DM_INLINE_NETWORK_11 object F365-ALPHEN-VPN-NETv4 (hitcnt=6528) 0xef21930b
access-list WAN_cryptomap_1 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.38.0 255.255.255.0 (hitcnt=6528) 0x482d688b
access-list WAN_cryptomap_1 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.38.0 255.255.255.0 (hitcnt=3955) 0x9d4b8e23
access-list eigrpACL_FR; 1 elements; name hash: 0x61de291e
access-list eigrpACL_FR line 1 standard permit host 10.72.41.1 (hitcnt=0) 0xc908ffe7
access-list EVRY-LAN_access_in; 2 elements; name hash: 0x48decb51
access-list EVRY-LAN_access_in line 1 extended permit icmp any4 any4 (hitcnt=392219) 0xa4d68976
access-list EVRY-LAN_access_in line 2 extended permit ip any4 any4 (hitcnt=8990308) 0x6e9ad245
access-list eigrpACL_FR_1; 1 elements; name hash: 0x63747416
access-list eigrpACL_FR_1 line 1 standard permit 10.72.41.0 255.255.255.0 (hitcnt=0) 0x13736575
access-list WAN_cryptomap_3; 1 elements; name hash: 0xcb7ed32b
access-list WAN_cryptomap_3 line 1 extended permit ip object DC-LAN object TuijnAarkade-LAN20v4 (hitcnt=44) 0x38e4b15c
access-list WAN_cryptomap_3 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.20.0 255.255.255.0 (hitcnt=44) 0x38e4b15c
access-list sfr_redirect; 1 elements; name hash: 0x41ab5d0f
access-list sfr_redirect line 1 extended permit ip any any (hitcnt=56698898) 0x06d5ebec
access-list ESX-LAN_access_in; 2 elements; name hash: 0x5bd52b15
access-list ESX-LAN_access_in line 1 extended permit icmp any any (hitcnt=14) 0x2db28446
access-list ESX-LAN_access_in line 2 extended permit ip any any (hitcnt=4106489) 0x6ebd0112
access-list WAN_cryptomap_4; 1 elements; name hash: 0x5874c69d
access-list WAN_cryptomap_4 line 1 extended permit ip object DC-LAN object TuijnAarkade-LAN20v4 (hitcnt=7) 0x29738ff4
access-list WAN_cryptomap_4 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.20.0 255.255.255.0 (hitcnt=7) 0x29738ff4
access-list WAN_cryptomap_5; 4 elements; name hash: 0x9dbd94ba
access-list WAN_cryptomap_5 line 1 extended permit ip object-group DM_INLINE_NETWORK_12 object TuijnAarkade-LAN20v4 (hitcnt=54257) 0xa7df62c1
access-list WAN_cryptomap_5 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.20.0 255.255.255.0 (hitcnt=5150) 0x12166a2b
access-list WAN_cryptomap_5 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.20.0 255.255.255.0 (hitcnt=40665) 0x6123957a
access-list WAN_cryptomap_5 line 1 extended permit ip 10.72.39.0 255.255.255.0 10.72.20.0 255.255.255.0 (hitcnt=7192) 0xdb75c080
access-list WAN_cryptomap_5 line 1 extended permit ip 10.72.80.0 255.255.240.0 10.72.20.0 255.255.255.0 (hitcnt=24952) 0x0509a483
access-list WAN_cryptomap_6; 4 elements; name hash: 0x9842fb74
access-list WAN_cryptomap_6 line 1 extended permit ip object-group DM_INLINE_NETWORK_13 object OSS-HHW-VPN-NETv4 (hitcnt=6826) 0x71571125
access-list WAN_cryptomap_6 line 1 extended permit ip 10.12.12.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0xd4711c68
access-list WAN_cryptomap_6 line 1 extended permit ip 10.72.41.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=1679) 0xdef2c23a
access-list WAN_cryptomap_6 line 1 extended permit ip 10.72.39.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=112) 0xe6d025c2
access-list WAN_cryptomap_6 line 1 extended permit ip 10.72.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=8298) 0x352541ac
access-list WAN_cryptomap_8; 3 elements; name hash: 0x8e8f0cfd
access-list WAN_cryptomap_8 line 1 extended permit ip object-group DM_INLINE_NETWORK_14 object OSS-ZS-VPN-NETv4 (hitcnt=11811) 0xd62f10f8
access-list WAN_cryptomap_8 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=596) 0x889ff420
access-list WAN_cryptomap_8 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=12436) 0x8194c58e
access-list WAN_cryptomap_8 line 1 extended permit ip 10.72.39.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=1149) 0x9d94a561
access-list WAN_cryptomap_7; 20 elements; name hash: 0x1f415c40
access-list WAN_cryptomap_7 line 1 extended permit ip object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_16 (hitcnt=263) 0xb37e4d1b
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.41.0 255.255.255.0 172.31.255.0 255.255.255.0 (hitcnt=221) 0x989fca61
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.160.0 255.255.252.0 (hitcnt=570) 0xeabf4ba6
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.64.0 255.255.252.0 (hitcnt=228) 0x7797e039
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.41.0 255.255.255.0 10.72.80.0 255.255.240.0 (hitcnt=246) 0x906321ff
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.100.0 255.255.255.0 172.31.255.0 255.255.255.0 (hitcnt=8) 0xed18aa50
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.160.0 255.255.252.0 (hitcnt=230) 0x27e17f85
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.64.0 255.255.252.0 (hitcnt=1124) 0xa2442797
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.100.0 255.255.255.0 10.72.80.0 255.255.240.0 (hitcnt=222) 0xa22ee08e
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.38.0 255.255.255.0 172.31.255.0 255.255.255.0 (hitcnt=0) 0x0fb122e1
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.38.0 255.255.255.0 10.72.160.0 255.255.252.0 (hitcnt=0) 0xf0fb1114
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.38.0 255.255.255.0 10.72.64.0 255.255.252.0 (hitcnt=428) 0xe98447b3
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.38.0 255.255.255.0 10.72.80.0 255.255.240.0 (hitcnt=0) 0x94523b4f
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.20.0 255.255.255.0 172.31.255.0 255.255.255.0 (hitcnt=0) 0x6300b84c
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.20.0 255.255.255.0 10.72.160.0 255.255.252.0 (hitcnt=0) 0x9fbbd57c
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.20.0 255.255.255.0 10.72.64.0 255.255.252.0 (hitcnt=0) 0xc0b3e599
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.20.0 255.255.255.0 10.72.80.0 255.255.240.0 (hitcnt=252) 0x64414df2
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.41.0 255.255.255.0 172.31.161.248 255.255.255.248 (hitcnt=24) 0x8cea79ed
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.100.0 255.255.255.0 172.31.161.248 255.255.255.248 (hitcnt=224) 0xd90aa9d8
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.38.0 255.255.255.0 172.31.161.248 255.255.255.248 (hitcnt=0) 0xbe5d5c4e
access-list WAN_cryptomap_7 line 1 extended permit ip 10.72.20.0 255.255.255.0 172.31.161.248 255.255.255.248 (hitcnt=0) 0xc42aaa0c
access-list VoIP-LAN_access_in; 2 elements; name hash: 0x7ed09275
access-list VoIP-LAN_access_in line 1 extended permit ip any4 any4 (hitcnt=522486) 0xa979e568
access-list VoIP-LAN_access_in line 2 extended permit icmp any4 any4 (hitcnt=0) 0xe77f61fc
02-03-2021 02:43 PM
it hard to say, can you give us more example
what do you see in the Logs?
02-03-2021 02:51 PM
beyond the usual, a lot of Russian IP's try to VPN but fail at phase 1. From Iran too (RIPE lookup)
02-03-2021 03:06 PM
many dropping that means FW doing his job correctly, coming back to VPN the change you made was not working, so we need to look at command what changed, so post before and after change config.
02-03-2021 03:13 PM
Well, the change I made, was adding the line;
permit DC-VPN-PEERS any4 esp, udp500, udp4500
It looks like I get no hits on this line in the ACL, so apparently, the FW circumvents somehow the ACL for VPN (esp,500,4500udp)
even though I don't DENY anything ... yet, I SHOUD het hit counts in the ACL
Dont get me wrong, everything works, VPNs are up and running, but it bothers me that I cannot use the act for these purposes.
Cause the way I figure; If someone somehow got a hold of my customers local key and remote key, they could setup a vpn to my datacenter... or am I wrong?
02-04-2021 02:20 AM - edited 02-04-2021 02:20 AM
ASA work on order top down, - where the ACL is inserted is important.
02-03-2021 03:00 PM
It seems, I have a lot of hits in the ACL counters ICMP echo and echo-reply permit (WAN_in_1) but ZERO on the DC-VPN-PEERS
02-03-2021 02:54 PM
02-03-2021 03:35 PM
Correction: ASA 9.12(4)10
02-04-2021 04:53 AM
Hello,
sorry for the question but I am confused on what the actual problem is. Initially it sounded like the ACL used to encrypt traffic between the VPN endpoints did not work correctly, and instead of just the specified traffic, all traffic was allowed.
But reading further, the problem seems to be that your public IP addresses (the VPN peer addresses) get hit by 'unauthorized' traffic ? Is that right ?
02-04-2021 07:16 AM
Yes, that is correct.
And those lines in the ACL are at the very top;
I start with deny the blacklist (some annoying Chinese IP's)
then icmp echo and reply permit
and THEN first permit DC-VPN-PEERS
but as the blacklist and icmp entries get hits, and lines AFTER the permit VPN peers, NOT the actual esp,500,4500 UDP
Asif VPN doesn't listen to ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide