Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
0
Helpful
4
Replies

crypto map - IPSec Site to Site VPN

rthakker
Level 1
Level 1

‎03-25-2019 04:15 PM - edited ‎02-21-2020 09:36 PM

Guys,

 

Does Cisco firewall support IPSec Site to Site VPN using TCP / UDP based cryptomap?

 

For example, I have two sites connected via IPSec VPN using IP ACL which works fine. 

 

Site 1 - Cryptomap

access-list vpn1_cryptomap extended permit ip host 172.30.10.2 host 192.168.10.2

 

Site 2 - Cryptomap

access-list vpn1_cryptomap extended permit ip host 192.168.10.2 host 172.30.10.2

 

ASA1# packet-tracer input inside1 tcp 172.30.10.2 12212 192.168.10.2 23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.1.1 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside1,outside) source static Inside1_Local Inside1_Local destination static Inside1_Remote Inside1_Remote no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.2/23 to 192.168.10.2/23

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global-acl global
access-list global-acl extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside1,outside) source static Inside1_Local Inside1_Local destination static Inside1_Remote Inside1_Remote no-proxy-arp route-lookup
Additional Information:
Static translate 172.30.10.2/12212 to 172.30.10.2/12212

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside1,outside) source static Inside1_Local Inside1_Local destination static Inside1_Remote Inside1_Remote no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8, packet dispatched to next module

Result:
input-interface: inside1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ASA1#

 

 

 

However, the moment I switch crypto map to TCP or UDP based ACL I am unable to establish VPN

 

Site 1 - Cryptomap

access-list vpn1_cryptomap extended permit tcp host 172.30.10.2 host 192.168.10.2 eq telnet

 

Site 2 - Cryptomap

access-list vpn1_cryptomap extended permit tcp host 192.168.10.2 eq telnet host 172.30.10.2

 

ASA1# packet-tracer input inside1 tcp 172.30.10.2 12212 192.168.10.2 23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.1.1 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside1,outside) source static Inside1_Local Inside1_Local destination static Inside1_Remote Inside1_Remote no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.2/23 to 192.168.10.2/23

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global-acl global
access-list global-acl extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside1,outside) source static Inside1_Local Inside1_Local destination static Inside1_Remote Inside1_Remote no-proxy-arp route-lookup
Additional Information:
Static translate 172.30.10.2/12212 to 172.30.10.2/12212

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA1#

 

I will appriciate if you suggest if these feature is supported or not? 

 

Thanks

RT 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-25-2019 04:30 PM

Hi,

The ACLs used for control connections are based on the source and translated destination IP addresses, reference here. So on that basis I'd say no you cannot limit the proxy id as you hoped.

 

If you want to restrict access over the VPN tunnel I'd suggest looking at VPN Filter to restrict the telnet traffic on that tunnel. Example here and here.

 

HTH

0 Helpful

rthakker
Level 1
Level 1
In response to Rob Ingram

‎03-25-2019 11:36 PM

Thank you for your response RJI and Rahul. I did think of VPN filter but not attempted it.

Let me explain i need two tunnels between the same pairs of ASAs using different tunnel endpoint IPs but having the same encryption domain in my example;

Site A Tunnel 1 to Site B Tunnel 1 - Source Site A 172.30.10.2 TCP/12212 Destination Site B 192.168.10.2 TCP/23
Site A Tunnel 2 to Site B Tunnel 2 - Source Site A 172.30.10.2 TCP/15515 Destination Site B 192.168.10.2 TCP/22

If I use IP based crypto map and if Tunnel 1 came up first due to the nature of the traffic in the current example it is Telnet (but in real life it is different type of traffic but very chatty which will keep Tunnel 1 always up) will ASA ever allow Tunnel 2 to come up if SSH traffic appears?

Thanks
RT
0 Helpful

rthakker
Level 1
Level 1
In response to rthakker

‎03-26-2019 01:33 AM - edited ‎03-26-2019 03:32 AM

I will try VPN Filter feature and update you.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-25-2019 05:07 PM

Although not recommended, I do not see why this would not work. Run "debug crypto ikev1 127" and "debug crypto ipsec" on both sides when you run the packet-tracer.

 

As @Rob Ingram mentioned, its easier and recommended to create IP crypto ACL's and lock it based on filters. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents