10-13-2022 05:31 PM
Hi,
I have site to site VPN with the following configuration:
crypto ikev2 policy 10
Encryption aes-256 aes-192
Integrity sha512 sha256
group 20
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key ****
ikev2 kical-authentication pre-shared-key ****
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256
protocol esp encrytion eas-256
protocol esp integrity sha-256
crypto map ESSVPN 20 match address ESS-VPN-ACL
crypto map ESSVPN 20 set peer 1.1.1.1
crypto map ESSVPN 20 set ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256
crypto map ESSVPN interface outside
access-list ESS-VPN-ACL extended permit ip object-group PACS_NET object-group BPACS_NET
I don't have a no nat config because this firewall is not natting anything on the outside interface anyways (does not have internet access) the VPN is on the local network.
the previous configuration does not work unless I add the following ACL:
access-list inside_access_in extended permit ip object-group PACS_NET object-group BPACS_NET
I had configured some other VPN in where I don't need to add the extended ACL on the interface, with the ACL on the crypto map has been enough. What am I missing here?
10-16-2022 12:32 PM
I had configured some other VPN in where I don't need to add the extended ACL on the interface ??
you meaning there are other L2L VPN pass without ACL apply to IN interface ?
10-16-2022 01:06 PM
Yes, usually I only configure the ACL that is referenced in the crypto map.
10-16-2022 01:56 PM
show asp table filter
show access-list [name]
please share the output for above command
10-17-2022 01:29 PM
10-17-2022 01:45 PM
do this packet-tracer let see how traffic NAT and filter
do this before and after add the ACL inbound.
packet-tracer input inside tcp x.x.x.x 1234 y.y.y.y 80 detail
10-17-2022 02:24 PM
Hi, before the adding the ACL inbound the packet tracer stops at phase:3 ACCESS-LIST (implicit rule). After adding the inbound ACL it goes all the way through. See attachments
10-17-2022 02:44 PM
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <--
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc057320, priority=11, domain=permit, deny=true
hits=8, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group NAME in interface inside <-- access-list NAME extended deny ip any any <-- Additional Information: Forward Flow based lookup yields rule: in id=0xbb9ba040, priority=13, domain=permit, deny=true hits=0, user_data=0xb94669e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=inside, output_ifc=any
they seem a same but there are different the traffic is drop by config ACL not by implicit Rule (I attach two different drop by two different ACL types)
NOW can you double check the show access-list see if there is access-list same name appear. (this time show access-list without specify the name of ACL)
10-17-2022 02:56 PM
You are right, is not the implicit rule the one that is denying the traffic, it is a configured any any ip deny rule at the end. I only have four different ACLs:
outside_access_in
inside_access_in
ESS_VPN_ACL
ICCP_IF_access_in
10-17-2022 03:16 PM
check ACL before and after add permit line,
I think you overwrite the old deny with new permit LINE.
good luck
10-17-2022 03:23 PM
Thanks for your help and time, unfortunately I double checked the ACLs and none of them are overwriting the old deny. As a matter of fact, I think I should not be needing to add any inbound ACL to the interface if I already have the ACL applied to the crypto map
10-17-2022 03:31 PM
you are so so welcome
10-18-2022 10:56 AM
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/traffic.html
when you find the ACL that drop your traffic you can use inactive keyword to inactive this ACE.
10-19-2022 09:45 AM
If it only works after adding and ACL on the interface, you most likely have the non-standard setting "no sysopt connection permit-vpn" set in one of your VPNs.
Setting that for any site-to-site or remote access VPN profile will make it happen globally and affect all configured VPNs.
10-19-2022 09:58 AM
How can I determine if I have that setting on? I just entered "show run | i sysopt" and nothing came back
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide