Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
5
Helpful
2
Replies

Cryptomap misinterprets our VPN traffic ACL

Go to solution
Group IT
Level 1
Level 1

‎06-08-2021 09:01 AM - edited ‎06-08-2021 09:02 AM

Hello,

 

We are configuring a VPN tunnel between a router and ASA.

 

The router has an ACL like this:

 

ip access-list extended VPN-TRAFFIC
permit icmp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255
permit tcp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 eq 445 domain 88 135 389 636 3389
permit udp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 eq 445 domain 88 135 389 636 3389
permit tcp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 range 49152 65535
permit udp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 range 49152 65535

 

 

The tunnel connects and all looks well. But when we try to access ports within the range 49152-65535, the traffic is dropped.

 

Upon investigation, we notice that the cryptomap appears to interpret the port RANGE as a list of two different ports?

Is this a bug? Are we misunderstanding how to set port ranges?

 

 

 

rtr-h000399(config)#do sh cry map
Crypto Map IPv4 "CMAP-HGL-HQ" 1 ipsec-isakmp
Peer = xxx.xxx.xxx.xxx
IKEv2 Profile: PROFILE-DnC
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit icmp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255
access-list VPN-TRAFFIC permit tcp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 ports = 445, 53, 88, 135, 389, 636, 3389
access-list VPN-TRAFFIC permit udp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 ports = 445, 53, 88, 135, 389, 636, 3389
access-list VPN-TRAFFIC permit tcp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 ports = 49152, 65535
access-list VPN-TRAFFIC permit udp 10.52.128.0 0.0.15.255 10.11.0.0 0.0.255.255 ports = 49152, 65535
Current peer: xxx.xxx.xxx.xxx
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS-DnC: { esp-256-aes esp-sha256-hmac } ,
}
Interfaces using crypto map CMAP-HGL-HQ:
Cellular0

Interfaces using crypto map NiStTeSt1:

 

Thank you for reading!

 

Kind regards,

 

Elliot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-08-2021 09:09 AM

@Group IT 

As per Cisco "Deploying complicated crypto ACLs using TCP or UDP ports is not recommended. Many IPsec vendors do not support port-level encryption ACLs."

 

Create your crypto ACL using "ip" between neworks, you can then restrict the traffic once the IPSec SAs have been established using either VPN filter or interface ACL.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎06-08-2021 09:09 AM

@Group IT 

As per Cisco "Deploying complicated crypto ACLs using TCP or UDP ports is not recommended. Many IPsec vendors do not support port-level encryption ACLs."

 

Create your crypto ACL using "ip" between neworks, you can then restrict the traffic once the IPSec SAs have been established using either VPN filter or interface ACL.

Go to solution
Group IT
Level 1
Level 1
In response to Rob Ingram

‎06-09-2021 02:17 AM

Aha! Thank you, Rob; that makes complete sense! We'll try recreating it that way

0 Helpful
Customers Also Viewed These Support Documents