Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
5
Helpful
6
Replies

IPSec tunnel through ASA from specific IPs

justin.coppola1
Level 1
Level 1

‎07-23-2015 12:56 AM - edited ‎02-21-2020 08:21 PM

I'm having some difficulty getting an IPSec tunnel to work through an ASA5510 that is already configured with a number of different tunnels that it terminates, as well as individual VPN clients.

There are four interfaces to consider:

outside - 66.214.7.x 
inside  - 192.168.0.0/24
inside2 - 172.16.0.1/30
Cisco 1900 series WAN - 172.16.0.2

inside2 is directly connected to a Cisco 1900 series router that needs the IPsec tunnel. The ASA itself terminates a lot of different tunnels for remote branch offices, but this particular vendor needs a tunnel directly through to their router. Their tunnel can be set up from a range of about 6 different IPs, all of the variety 209.66.59.x.

I've tried a number of different configs but can't seem to get the lone tunnel to establish. Logs show a UDP/500 session being set up and then torn down.

Is it possible to pass UDP/500 and 4500 as well as IP/50 on to the inside2 interface only when they originate from specific IPs?

Any pointers to break the log jam in my head would be helpful. Thanks.

Labels:
0 Helpful
6 Replies 6

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-23-2015 01:46 AM

Hi 

If you need to establish a VPN tunnel directly to another device bypassing ASA, then you may use IPSec passthrough option.


The following example shows how to use access lists to identify IKE traffic, define an IPSec Pass Thru parameter map, define a policy, and apply the policy to the outside interface:

 hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
 hostname(config)# class-map ipsecpassthru-traffic
 hostname(config-cmap)# match access-list ipsecpassthruacl
 hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
 hostname(config-pmap)# parameters
 hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
 hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
 hostname(config)# policy-map inspection_policy
 hostname(config-pmap)# class ipsecpassthru-traffic
 hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
 hostname(config)# service-policy inspection_policy interface outside


Here is the command reference detailing what this option does:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/i2.html#wp1721168

And here is how you can configure it :-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html#wp1522169

 


Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

justin.coppola1
Level 1
Level 1
In response to Dinesh Moudgil

‎07-23-2015 02:20 AM

Thank you.  

 

We actually have many tunnels terminating at the ASA via the outside interface.  In this case, we only want to passthrough connections from a specific range of IPs at the remote end.  Is this possible?  All other tunnels that are currently set up and terminated by the ASA need to continue, but any tunnels to/from the range of IPs need to be passed through to 172.16.0.2 - how would that be configured?

 

JC

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to justin.coppola1

‎07-23-2015 02:32 AM

Justin,

You can configure specific IPs in the access-list rather than allowing any as source and destination.
i.e. Referencing previous example configuration:


access-list ipsecpassthruacl permit udp host x.x.x.x host y.y.y.y eq 500
instead of
access-list ipsecpassthruacl permit udp any any eq 500

And use this access-list in the class-map for ipsec passthrough.

NOTE :- If you already have a service-policy applied on the outside interface , then you can probably add the class-map directly to default policy-map instead of creating a new policy-map since you can only apply one policy-map on an interface.
(YOu can verify if you have any policy-map applied by "show run service-policy")

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

justin.coppola1
Level 1
Level 1
In response to Dinesh Moudgil

‎07-23-2015 07:29 AM

So I can configure passthrough for a single IP or range of IPs on the remote end?  The reply above indicates that the only way to bring multiple VPN tunnels in through the ASA would be separate interface/WAN IPs.  Its hard to believe that its that limited.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to justin.coppola1

‎07-23-2015 09:39 AM

Justin,

Reason for getting a different IP is because all the UDP 500 /UDP 4500 and ESP packets which are reaching the ASA are for the tunnels that are terminating on ASA itself.

If the router behind the ASA had a public IP , then it would have worked fine without a new IP but since it has a private IP , therefore the packets that will be seen would be destined for ASA and since it has ISAKMP enabled on the outside interface, it will try to process those traffic rather forwarding them.

Hope this helps.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Karsten Iwen
VIP
VIP

‎07-23-2015 05:25 AM

The only way I see is to use a different IP address on the outside interface of the ASA for this additional tunnel. All IPsec-traffic to the interface address of the ASA will be catched by the ASA itself.

And you only need to forward UDP/500 and UDP/4500. IP/50 is not needed in this case.

0 Helpful
Customers Also Viewed These Support Documents