Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
6
Replies

Site to Site Tunnel Disparity in Encaps/Decaps

Go to solution
mumbles202
Level 5
Level 5

‎11-18-2019 02:41 PM

Setup a site to site between a ASA context and another ASAv.  The tunnel is up but seeing odd behavior.  Traffic from behind the ASAv can reach the site behind the ASA.  Traffic from the ASA gets encrypted (and I see the decaps on the ASAv), but I'm seeing drops in the log on the ASAv similar to this:

 

ASA-session-4-106023: Deny tcp src OUTSIDE:192.168.100.10/40638 dst INSIDE:172.30.25.6/9004 by access-group "OUTSIDE_in" [0x0, 0x0}


access-list OUTSIDE_in is applied "in" on the outside interface and is as follows:

access-list OUTSIDE_in extended permit icmp any any time-exceeded
access-list OUTSIDE_in extended permit icmp any any unreachable

 

If i add entry like 

 

access-list OUTSIDE_in extended permit ip 192.168.100.0 255.255.255.0 172.30.25.0 255.255.255.0 i then see the traffic hit my inside device successfully (at least my capture).  

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎11-18-2019 03:07 PM

Yes, on the ASAv you will need to permit the traffic in the ACL. Why not align with the configuration of the other ASA and enable?

Alternatively if you want to restrict VPN traffic you could implement VPN Filter or just permit the traffic on the outside interface ACL.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2019 02:46 PM

Since we do not know the configuration we are in the assumption that you allowed Interesting traffic allowed both sides -as per the logs it was not the case, either post the full configuration or allow the ACL from source to destination allow list on both the side FW.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-18-2019 02:49 PM

Hi,
Normally traffic that traverses a VPN bypasses ACLs applied on an interface, the command to enable this (which is applied by default) is "sysopt connection permit-vpn". Is that command configured?
Can you upload the configuration of your ASAs and the output of "show crypto ipsec sa".
0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎11-18-2019 03:02 PM

Thanks for the tip:

 

ASA Configuration:

object network remoteLAN
subnet 172.30.25.0 255.255.255.0
object network localLAN
subnet 192.168.100.0 255.255.255.0

access-list remoteVPN extended permit ip object localLAN object remoteLAN

crypto map OUTSIDE-MAP 4 match address remoteVPN
crypto map OUTSIDE-MAP 4 set pfs group5
crypto map OUTSIDE-MAP 4 set peer remotePeer
crypto map OUTSIDE-MAP 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE-MAP 4 set security-association lifetime seconds 28800
crypto map OUTSIDE-MAP 4 set security-association lifetime kilobytes 4608000


nat (inside,outside) source static localLAN localLAN destination static remoteLAN remoteLAN no-proxy-arp route-lookup


sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

---------------------

ASAv Configuration


object network localLAN
subnet 172.30.25.0 255.255.255.0
object network remotelLAN
subnet 192.168.100.0 255.255.255.0

access-list remoteVPN extended permit ip object localLAN object remoteLAN

nat (inside,outside) source static localLAN localLAN destination static remoteLAN remoteLAN no-proxy-arp route-lookup


crypto map OUTSIDE-MAP 4 match address remoteVPN
crypto map OUTSIDE-MAP 4 set pfs group5
crypto map OUTSIDE-MAP 4 set peer remotePeer
crypto map OUTSIDE-MAP 4 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE-MAP 4 set security-association lifetime seconds 28800
crypto map OUTSIDE-MAP 4 set security-association lifetime kilobytes 4608000

access-list INSIDE_in extended permit ip any any
access-list INSIDE_in extended permit icmp any any

access-group INSIDE_in in interface inside
access-group OUTSIDE_in in interface outside


no sysopt connection permit-vpn

 

 

So with the  "no sysopt connection permit-vpn" I'll need to add an ACL entry for every new peer that comes up?  Reading up on it now. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎11-18-2019 03:07 PM

Yes, on the ASAv you will need to permit the traffic in the ACL. Why not align with the configuration of the other ASA and enable?

Alternatively if you want to restrict VPN traffic you could implement VPN Filter or just permit the traffic on the outside interface ACL.
0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎11-18-2019 03:23 PM

Thanks for the quick response. Yes, i might just do that.  I inherited the configuration role for the ASAv so didn't realize it had a non-default setting.  I'll pick through the config a bit more to more sure there are no more things to take note of. 

 

For the vpn filter if I wanted to allow all LAN-2-LAN traffic would i simply use:

 

access-list VPN-Filter permit 192.168.100.0 255.255.255.0 172.30.25.0 255.255.255.0

 

group-policy remotesite internal
group-policy remotesite attributes
vpn-filter value VPN-Filter

 

tunnel-group remotePeer general-attributes
default-group-policy remotesite

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎11-18-2019 03:29 PM

You need to be aware when configuring a VPN Filter ACL, the source network/port is always the remote network and the destination is always the local network/port (which is the opposite to a normal ACL). As long as you bear that in mind it's pretty straight forward.

 

Here is an example of VPN Filter.

0 Helpful
Customers Also Viewed These Support Documents