Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
9
Replies

Site to Site VPN allows OUTSIDE to INSIDE

Go to solution
MOHAMMED SALMAN
Level 1
Level 1

‎10-02-2017 10:20 AM - edited ‎03-12-2019 04:35 AM

Hello All,

 

I have a site to site VPN setup and no explicit ACL to allow OUTSIDE to INSIDE traffic. As per my understanding the traffic should not flow from site 1 to site 2. However, this is not the case.

The traffic from site 1 is reaching site 2.

 

Can anyone explain why this happened?

 

Regards,

Mohamed Salman

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to MOHAMMED SALMAN

‎10-04-2017 06:16 AM

Hello @MOHAMMED SALMAN,

 

The reason is the sysopt feature I explained before, this is the one that performs the bypass for the traffic since it is being recevied from VPN either IPSec or SSL. 

 

 

In order to perform the test, you need to change the command on the configuration but also you need to clear any connection and xlate present on the device, if you don´t do it... the ASA will take the traffic as allowed since you already have traffic passing through. Do this step and change the command, you should see the difference.

 

HTH

Gio

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎10-02-2017 10:44 AM

Hi,

 Does your interface has different security level?

0 Helpful

Go to solution
MOHAMMED SALMAN
Level 1
Level 1
In response to Flavio Miranda

‎10-02-2017 11:29 AM

absolutely

 

ciscoasa(config-ikev1-policy)# sho nameif
Interface Name Security
GigabitEthernet0/0 OUTSIDE 0
GigabitEthernet0/1 INSIDE 100
GigabitEthernet0/2 DMZ 50
ciscoasa(config-ikev1-policy)# sho int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.12.110 YES CONFIG up up
GigabitEthernet0/1 192.168.10.110 YES CONFIG up up
GigabitEthernet0/2 192.168.11.110 YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset administratively down up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 unassigned YES unset administratively down up
GigabitEthernet0/6 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down up

0 Helpful

Go to solution
GioGonza
Level 4
Level 4

‎10-02-2017 11:59 AM

Hello @MOHAMMED SALMAN,

Can you share the output for the command "show run all sysopt"? If you have the command sysopt connection permit-vpn, the ASA will bypass the ACL or anything configured on the interfaces just because the traffic is coming from the VPN (IPSec or SSL is the same behavior)

This command comes by default and the only way to permit traffic or have administration of this traffic is to remove that command and apply an ACL on the interfaces to allow just the traffic you want to flow. This is a link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/vpnsysop.html#wp1042105

HTH
Gio
0 Helpful

Go to solution
MOHAMMED SALMAN
Level 1
Level 1
In response to GioGonza

‎10-02-2017 01:16 PM

 

 

ciscoasa(config)# sho run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp INSIDE
no sysopt noproxyarp DMZ

 

 

I tried "no sysopt connection permit-vpn" but the behaviour did not change

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to MOHAMMED SALMAN

‎10-03-2017 01:29 PM

Hello @MOHAMMED SALMAN,

 

Can you share your configuration in order to check further, pls?

 

Gio

0 Helpful

Go to solution
MOHAMMED SALMAN
Level 1
Level 1
In response to Mohammed al Baqari

‎10-04-2017 12:03 AM

I believe I am not clear enough with my query.

 

The IPSEC tunnel is up and running. I am able to ping from LAN 1 to LAN 2.

 

My question is when the traffic reaches from LAN 1 to LAN 2, which is OUTSIDE to INSIDE then why is the traffic allowed without an explicit ACL.

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to MOHAMMED SALMAN

‎10-04-2017 06:16 AM

Hello @MOHAMMED SALMAN,

 

The reason is the sysopt feature I explained before, this is the one that performs the bypass for the traffic since it is being recevied from VPN either IPSec or SSL. 

 

 

In order to perform the test, you need to change the command on the configuration but also you need to clear any connection and xlate present on the device, if you don´t do it... the ASA will take the traffic as allowed since you already have traffic passing through. Do this step and change the command, you should see the difference.

 

HTH

Gio

0 Helpful

Go to solution
MOHAMMED SALMAN
Level 1
Level 1
In response to GioGonza

‎10-04-2017 01:58 PM

Ah! I did not clear the SA last time I tried :)  Thanks!!!!

0 Helpful
Customers Also Viewed These Support Documents