Re: Site to Site VPN only works when I add ACL on the interface - Page 2

fmacias.duarte · ‎10-13-2022

Hi,

I have site to site VPN with the following configuration:

crypto ikev2 policy 10

Encryption aes-256 aes-192

Integrity sha512 sha256

group 20

prf sha256

lifetime seconds 86400

crypto ikev2 enable outside

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key ****

ikev2 kical-authentication pre-shared-key ****

crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256

protocol esp encrytion eas-256

protocol esp integrity sha-256

crypto map ESSVPN 20 match address ESS-VPN-ACL

crypto map ESSVPN 20 set peer 1.1.1.1

crypto map ESSVPN 20 set ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256

crypto map ESSVPN interface outside

access-list ESS-VPN-ACL extended permit ip object-group PACS_NET object-group BPACS_NET

I don't have a no nat config because this firewall is not natting anything on the outside interface anyways (does not have internet access) the VPN is on the local network.

the previous configuration does not work unless I add the following ACL:

access-list inside_access_in extended permit ip object-group PACS_NET object-group BPACS_NET

I had configured some other VPN in where I don't need to add the extended ACL on the interface, with the ACL on the crypto map has been enough. What am I missing here?

MHM Cisco World · ‎10-19-2022

sh run sysopt <<- share this

Marvin Rhoads · ‎10-19-2022

The sysopt commands are "hidden" defaults. Try this:

show run all | i sysopt

fmacias.duarte · ‎10-19-2022

This is the output, it seems that it the sysopt setting is on

Sheraz.Salim · ‎10-19-2022

In your configuration output shown here you have these access-group/access-list

outside_access_in
inside_access_in
ESS_VPN_ACL
ICCP_IF_access_in

and you also confirmed your configuration you have sysopt setting are default (no-changes on these setting)

sysopt connection permit-vpn

as you have configured a access-group interface policy (access-list inside_access_in) this rule must has to check first in prior to matching the crypto-map access-list.

in other words due to access-list inside_access_in is configured at interface level therefore the order of operation is first you must have to define your source and destination ip address in this access-list. if you do not define in it the crypto-map access-list wont kick in (you already tested and the results are already showen to us) The logic is simple as you putting the control (source and destination address inbound at interface level) now either you completely get rid of access-list inside_access_in

(asa)config t# clear configuration access-list inside_access_in

your crypto-map acl will kick in and it will work as you seen in other firewalls. however, I noted you have 116 ACL rules configured for inside_access_in.

hope it will help.

please do not forget to rate.

MHM Cisco World · ‎10-19-2022

Cisco Note
""sysopt connection permit-vpn will bypass ACLs (both in and out) on interface where crypto map for that interesting traffic is enabled, along with egress (out) ACLs of all other interfaces, but not the ingress (in) ACLs.""

that Why I dont mention sysopt permit-vpn
we have here ingress ACL (in) with deny and I think all other VPN dont have ACL (in) in interface the traffic come from except this VPN and hence you need
either delete ACL(in) with deny <<OLD>> ****delete all note only ACE****
or
add permit <<<- what you have done as workaround

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html