Re: Site to Site VPN only works when I add ACL on the interface

fmacias.duarte · ‎10-13-2022

Hi,

I have site to site VPN with the following configuration:

crypto ikev2 policy 10

Encryption aes-256 aes-192

Integrity sha512 sha256

group 20

prf sha256

lifetime seconds 86400

crypto ikev2 enable outside

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key ****

ikev2 kical-authentication pre-shared-key ****

crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256

protocol esp encrytion eas-256

protocol esp integrity sha-256

crypto map ESSVPN 20 match address ESS-VPN-ACL

crypto map ESSVPN 20 set peer 1.1.1.1

crypto map ESSVPN 20 set ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256

crypto map ESSVPN interface outside

access-list ESS-VPN-ACL extended permit ip object-group PACS_NET object-group BPACS_NET

I don't have a no nat config because this firewall is not natting anything on the outside interface anyways (does not have internet access) the VPN is on the local network.

the previous configuration does not work unless I add the following ACL:

access-list inside_access_in extended permit ip object-group PACS_NET object-group BPACS_NET

I had configured some other VPN in where I don't need to add the extended ACL on the interface, with the ACL on the crypto map has been enough. What am I missing here?

MHM Cisco World · ‎10-16-2022

I had configured some other VPN in where I don't need to add the extended ACL on the interface ??
you meaning there are other L2L VPN pass without ACL apply to IN interface ?

fmacias.duarte · ‎10-16-2022

Yes, usually I only configure the ACL that is referenced in the crypto map.

MHM Cisco World · ‎10-16-2022

show asp table filter

show access-list [name]

please share the output for above command

fmacias.duarte · ‎10-17-2022

MHM Cisco World · ‎10-17-2022

do this packet-tracer let see how traffic NAT and filter
do this before and after add the ACL inbound.
packet-tracer input inside tcp x.x.x.x 1234 y.y.y.y 80 detail

fmacias.duarte · ‎10-17-2022

Hi, before the adding the ACL inbound the packet tracer stops at phase:3 ACCESS-LIST (implicit rule). After adding the inbound ACL it goes all the way through. See attachments Before the ACLAfter ACL

MHM Cisco World · ‎10-17-2022

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <--
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc057320, priority=11, domain=permit, deny=true
	hits=8, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NAME in interface inside <--
access-list NAME extended deny ip any any <--
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbb9ba040, priority=13, domain=permit, deny=true
	hits=0, user_data=0xb94669e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
	input_ifc=inside, output_ifc=any

they seem a same but there are different the traffic is drop by config ACL not by implicit Rule (I attach two different drop by two different ACL types)

NOW can you double check the show access-list see if there is access-list same name appear. (this time show access-list without specify the name of ACL)

fmacias.duarte · ‎10-17-2022

You are right, is not the implicit rule the one that is denying the traffic, it is a configured any any ip deny rule at the end. I only have four different ACLs:

outside_access_in

inside_access_in

ESS_VPN_ACL

ICCP_IF_access_in

MHM Cisco World · ‎10-17-2022

check ACL before and after add permit line,
I think you overwrite the old deny with new permit LINE.
good luck

fmacias.duarte · ‎10-17-2022

Thanks for your help and time, unfortunately I double checked the ACLs and none of them are overwriting the old deny. As a matter of fact, I think I should not be needing to add any inbound ACL to the interface if I already have the ACL applied to the crypto map

MHM Cisco World · ‎10-17-2022

you are so so welcome

MHM Cisco World · ‎10-18-2022

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/traffic.html
when you find the ACL that drop your traffic you can use inactive keyword to inactive this ACE.

Marvin Rhoads · ‎10-19-2022

If it only works after adding and ACL on the interface, you most likely have the non-standard setting "no sysopt connection permit-vpn" set in one of your VPNs.

Setting that for any site-to-site or remote access VPN profile will make it happen globally and affect all configured VPNs.

fmacias.duarte · ‎10-19-2022

How can I determine if I have that setting on? I just entered "show run | i sysopt" and nothing came back