Solved: Re: Question on ACL's with the 2621 when using site to site VPN

chalkspray · ‎02-17-2011

I am setting up two site to site vpn's. We have a ASA at our HQ, and the branches will have IOS routers -- one is a 1811 and the other 2621. Both are running the latest IOS versions, respectively. Both site to site VPN's are operational. I have an inbound access list on the outside interfaces of both routers, which only permits IP traffic from the IP address of the ASA. All other traffic is denied. I have NAT Overload set up in typical form, and I'm using ip inspection outbound on the same interface, to allow inbound return traffic for internet browsing. This configuration works just fine with the 1811, where all traffic is blocked except the IP (IPSEC) traffic coming from the ASA. The hosts at our HQ can reach the hosts behind the 1811, and vise-versa.

Here's my problem: The 2621 is processing the encapsulated traffic on the outside interface, and blocking that traffic because it doesn't match. I know this because when I turn on logging / debugging on the 2621, I see the inbound traffic being blocked by that ACL. Technically I suppose it doesn't match, but at that interface the traffic is still encapsulated so I would think it would match that access-list and then pass it to the crypto map for decapsulation and be forwarded on to the destination host. Just like it does on the 1811. I dont' wan't to create another line in the access list to permit all of the subnets at HQ. Why isn't this working the same way as it does on the 1811?? Is there something else I need to enable?

------------------------------------------------------------------------

1811 Config:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname BranchVPN1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip inspect audit-trail
ip inspect dns-timeout 10
ip inspect name internet udp timeout 30
ip inspect name internet tcp timeout 30
ip inspect name internet ftp timeout 30
ip inspect name internet http timeout 30
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall ftps
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name xxxx
!
!
!
!
username xxxxxxxxxx
!
!
!
class-map match-all vpn_traffic
match access-group name police
!
!
policy-map VPN
class vpn_traffic
    police 2000000 37500 conform-action transmit exceed-action drop
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxx address xxxx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set xxtransform esp-aes 256 esp-sha-hmac
!
crypto map xxmap 10 ipsec-isakmp
set peer xxxx
set transform-set xxtransform
set pfs group2
match address tunnelnetworks
reverse-route static
!
!
!
interface Loopback0
ip address 172.16.99.1 255.255.255.255
!
interface FastEthernet0/0
description Connection to Internet (DHCP)
ip address dhcp
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect firewall out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map xxmap
!
interface FastEthernet0/1
description Connection to LAN
ip address 172.20.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy input VPN
!
interface Serial0/0/0
no ip address
shutdown
no cdp enable
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list nat-acl interface FastEthernet0/0 overload
!
ip access-list extended nat-acl
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended outside_in
permit udp any eq bootps host 255.255.255.255 eq bootpc
permit ip host (ASA IPADDR) any
deny   ip any any log
ip access-list extended police
deny   ip host xxxx any
deny   ip any host xxxx
permit ip 172.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended tunnelnetworks
permit ip host 172.16.99.1 10.0.0.0 0.255.255.255
permit ip 172.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
logging trap debugging
logging source-interface Loopback0
logging xxxx
access-list 160 remark t est
no cdp run
!
!
control-plane
!
banner motd ^CC

Authorized Personnel Only!!!

^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end

------------------------------------------------------------------------

2621 Config:

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname BranchVPN2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authorization console
aaa authorization exec default local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip domain name xxxx
!
ip inspect audit-trail
ip inspect dns-timeout 10
ip inspect name internet udp timeout 30
ip inspect name internet tcp timeout 30
ip inspect name internet ftp timeout 30
ip inspect name internet http timeout 30
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall ftp
ip inspect name firewall http
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxxxx
!
!
!
class-map match-all vpn_traffic
match access-group name police
!
!
policy-map VPN
class vpn_traffic
   police 2000000 37500 conform-action transmit exceed-action drop
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxx address xxxx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set xxtransform esp-aes 256 esp-sha-hmac
!
crypto map xxmap 10 ipsec-isakmp
set peer xxxx
set transform-set xxtransform
set pfs group2
match address tunnelnetworks
reverse-route remote-peer
!
!
!
!
interface Loopback0
ip address 172.16.99.2 255.255.255.255
!
interface FastEthernet0/0
description Connection to Internet (DHCP)
ip address dhcp
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall out
duplex auto
speed auto
no cdp enable
crypto map xxmap
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
description Connection to LAN
ip address 172.20.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
duplex auto
speed auto
no cdp enable
service-policy input VPN
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat inside source list nat-acl interface FastEthernet0/0 overload
no ip http server
ip http authentication local
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
!
ip access-list extended nat-acl
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended outside_in
permit udp any eq bootps host 255.255.255.255 eq bootpc
permit ip host (ASA IPADDR) any
deny   ip any any log
ip access-list extended police
deny   ip host xxxx any
deny   ip any host xxxx
permit ip 172.20.2.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended tunnelnetworks
permit ip host 172.16.99.2 10.0.0.0 0.255.255.255
permit ip 172.20.2.0 0.0.0.255 10.0.0.0 0.255.255.255
logging trap debugging
logging source-interface Loopback0
logging xxxx
no cdp run
!
!
!
!
!
banner motd ^CCC

Authorized Personnel Only!!!

^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
!
!
end

Federico Coto Fajardo · ‎02-17-2011

Please check if this helps:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-17-2011

Hi,

I believe the problem with the 2621 is an old device (even if it's running a not-so-very-old IOS).

Many years ago, the ACL inspect not only encapsulated traffic but also decapsulated traffic to permitted in.

Basically the ACL did two inspections, one for the received encapsulated traffic and then again for the actual IP packets inside the tunnel.

Just as a test, if you add the remote subnets to the ACL it works right?

Federico.

chalkspray · ‎02-17-2011

Yes, if I add the HQ subnets to the ACL, then the traffic passes through without issue. I'm just not very comfortable leaving it this way, because it would either need to be a very long specific ACL, or one very broad ACE, like permitting 10.x.x.x. These routers will be connected to DSL routers that will also be doing natting, and I'm just not comfortable allowing anything inbound besides IPSEC traffic from our ASA because it is possible that unwanted traffic with private addressing could be seen on the outside interface of my router.

There has to be a way to make this work. I agree it sure seems like this was something they changed in later releases of IOS code or maybe a hardware change between the 2600 series and the 2800 series, but I can't be the only one to have wanted this type of behavior, and I'm sure there's a documented solution -- I just can't figure out what terms to search for to find it.

Federico Coto Fajardo · ‎02-17-2011

Please check if this helps:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html

Federico.

chalkspray · ‎02-17-2011

Yes, it does help, however... I'm running 12.3(26) mainline on that router, not a "T" release, and from what I can tell with that article, my router is already configured according to how they recommend with 12.3(8)T and later, the release which that feature was introduced in. I am unable to find any "T" releases for the 2621. Hmmm....

If anything, the article confirmed my theory that it was being checked after being decapsulated. One interesting thing though, they state that prior to 12.3(8)T, if I had an ACL on the outside interface in the inbound direction to allow the traffic I'm seeing blocked at the moment, and that traffic also matched the crypto map, then if the traffic was seen on the interface and was not encrypted, then it would be blocked because the crypto map indicated that it should have been encrypted. I'm going to have to test that and see if it's true. If it is, then it resolves my concerns with adding the 10.x.x.x to the inbound access list. I'll let you know.

Thanks for your help!

chalkspray · ‎02-17-2011

Looks like it's going to drop unencrypted traffic that matches the cryptomap even if it matches a permit statement on the inbound access list. I created the ACE to allow 10.x.x.x inbound on the outside interface, and then placed a PC with a 10.x.x.x address off a switch on the outside interface when the tunnel was up, and created an static ARP entry on the PC for the true outside address of the router, and set that IP as the PC's gateway to the inside subnets. The router logged the following entry:

*Mar 1 05:20:35.394 UTC: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /172.20.2.2, src_addr= 10.1.50.99, prot= 1

I tried again with the tunnel shut down and the same event was logged. So it looks like I'll be fine just making a change to allow the HQ subnets.

Thanks again for your help!