11-18-2019 02:41 PM
Setup a site to site between a ASA context and another ASAv. The tunnel is up but seeing odd behavior. Traffic from behind the ASAv can reach the site behind the ASA. Traffic from the ASA gets encrypted (and I see the decaps on the ASAv), but I'm seeing drops in the log on the ASAv similar to this:
ASA-session-4-106023: Deny tcp src OUTSIDE:192.168.100.10/40638 dst INSIDE:172.30.25.6/9004 by access-group "OUTSIDE_in" [0x0, 0x0}
access-list OUTSIDE_in is applied "in" on the outside interface and is as follows:
access-list OUTSIDE_in extended permit icmp any any time-exceeded
access-list OUTSIDE_in extended permit icmp any any unreachable
If i add entry like
access-list OUTSIDE_in extended permit ip 192.168.100.0 255.255.255.0 172.30.25.0 255.255.255.0 i then see the traffic hit my inside device successfully (at least my capture).
Solved! Go to Solution.
11-18-2019 03:07 PM
11-18-2019 02:46 PM
Since we do not know the configuration we are in the assumption that you allowed Interesting traffic allowed both sides -as per the logs it was not the case, either post the full configuration or allow the ACL from source to destination allow list on both the side FW.
11-18-2019 02:49 PM
11-18-2019 03:02 PM
Thanks for the tip:
ASA Configuration:
object network remoteLAN
subnet 172.30.25.0 255.255.255.0
object network localLAN
subnet 192.168.100.0 255.255.255.0
access-list remoteVPN extended permit ip object localLAN object remoteLAN
crypto map OUTSIDE-MAP 4 match address remoteVPN
crypto map OUTSIDE-MAP 4 set pfs group5
crypto map OUTSIDE-MAP 4 set peer remotePeer
crypto map OUTSIDE-MAP 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE-MAP 4 set security-association lifetime seconds 28800
crypto map OUTSIDE-MAP 4 set security-association lifetime kilobytes 4608000
nat (inside,outside) source static localLAN localLAN destination static remoteLAN remoteLAN no-proxy-arp route-lookup
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
---------------------
ASAv Configuration
object network localLAN
subnet 172.30.25.0 255.255.255.0
object network remotelLAN
subnet 192.168.100.0 255.255.255.0
access-list remoteVPN extended permit ip object localLAN object remoteLAN
nat (inside,outside) source static localLAN localLAN destination static remoteLAN remoteLAN no-proxy-arp route-lookup
crypto map OUTSIDE-MAP 4 match address remoteVPN
crypto map OUTSIDE-MAP 4 set pfs group5
crypto map OUTSIDE-MAP 4 set peer remotePeer
crypto map OUTSIDE-MAP 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE-MAP 4 set security-association lifetime seconds 28800
crypto map OUTSIDE-MAP 4 set security-association lifetime kilobytes 4608000
access-list INSIDE_in extended permit ip any any
access-list INSIDE_in extended permit icmp any any
access-group INSIDE_in in interface inside
access-group OUTSIDE_in in interface outside
no sysopt connection permit-vpn
So with the "no sysopt connection permit-vpn" I'll need to add an ACL entry for every new peer that comes up? Reading up on it now.
11-18-2019 03:07 PM
11-18-2019 03:23 PM
Thanks for the quick response. Yes, i might just do that. I inherited the configuration role for the ASAv so didn't realize it had a non-default setting. I'll pick through the config a bit more to more sure there are no more things to take note of.
For the vpn filter if I wanted to allow all LAN-2-LAN traffic would i simply use:
access-list VPN-Filter permit 192.168.100.0 255.255.255.0 172.30.25.0 255.255.255.0
group-policy remotesite internal
group-policy remotesite attributes
vpn-filter value VPN-Filter
tunnel-group remotePeer general-attributes
default-group-policy remotesite
11-18-2019 03:29 PM
You need to be aware when configuring a VPN Filter ACL, the source network/port is always the remote network and the destination is always the local network/port (which is the opposite to a normal ACL). As long as you bear that in mind it's pretty straight forward.
Here is an example of VPN Filter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide