10-13-2022 05:31 PM
Hi,
I have site to site VPN with the following configuration:
crypto ikev2 policy 10
Encryption aes-256 aes-192
Integrity sha512 sha256
group 20
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key ****
ikev2 kical-authentication pre-shared-key ****
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256
protocol esp encrytion eas-256
protocol esp integrity sha-256
crypto map ESSVPN 20 match address ESS-VPN-ACL
crypto map ESSVPN 20 set peer 1.1.1.1
crypto map ESSVPN 20 set ikev2 ipsec-proposal IKEV2-IPSEC_ESP-AES256-SHA256
crypto map ESSVPN interface outside
access-list ESS-VPN-ACL extended permit ip object-group PACS_NET object-group BPACS_NET
I don't have a no nat config because this firewall is not natting anything on the outside interface anyways (does not have internet access) the VPN is on the local network.
the previous configuration does not work unless I add the following ACL:
access-list inside_access_in extended permit ip object-group PACS_NET object-group BPACS_NET
I had configured some other VPN in where I don't need to add the extended ACL on the interface, with the ACL on the crypto map has been enough. What am I missing here?
10-19-2022 10:05 AM
sh run sysopt <<- share this
10-19-2022 10:06 AM
The sysopt commands are "hidden" defaults. Try this:
show run all | i sysopt
10-19-2022 10:13 AM
This is the output, it seems that it the sysopt setting is on
10-19-2022 02:44 PM
In your configuration output shown here you have these access-group/access-list
outside_access_in
inside_access_in
ESS_VPN_ACL
ICCP_IF_access_in
and you also confirmed your configuration you have sysopt setting are default (no-changes on these setting)
sysopt connection permit-vpn
as you have configured a access-group interface policy (access-list inside_access_in) this rule must has to check first in prior to matching the crypto-map access-list.
in other words due to access-list inside_access_in is configured at interface level therefore the order of operation is first you must have to define your source and destination ip address in this access-list. if you do not define in it the crypto-map access-list wont kick in (you already tested and the results are already showen to us) The logic is simple as you putting the control (source and destination address inbound at interface level) now either you completely get rid of access-list inside_access_in
(asa)config t# clear configuration access-list inside_access_in
your crypto-map acl will kick in and it will work as you seen in other firewalls. however, I noted you have 116 ACL rules configured for inside_access_in.
hope it will help.
10-19-2022 02:44 PM - edited 10-19-2022 02:47 PM
Cisco Note
""sysopt connection permit-vpn will bypass ACLs (both in and out) on interface where crypto map for that interesting traffic is enabled, along with egress (out) ACLs of all other interfaces, but not the ingress (in) ACLs.""
that Why I dont mention sysopt permit-vpn
we have here ingress ACL (in) with deny and I think all other VPN dont have ACL (in) in interface the traffic come from except this VPN and hence you need
either delete ACL(in) with deny <<OLD>> ****delete all note only ACE****
or
add permit <<<- what you have done as workaround
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide