Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1492
Views
0
Helpful
3
Replies

Tunnel HTTP/HTTPS Traffic

R0n1n
Level 1
Level 1

‎08-08-2018 10:04 AM

Good morning. I am trying to create an IPsec tunnel (two actually) for use with Zscaler to send http and https traffic to. Right now, the setup is a ASA 5506 connected to the internet for internet based traffic and an existing IPsec tunnel to internal traffic to our data center. The site-to-site tunnel for internal traffic is working fine as is Internet-based traffic.

 

The problem is getting the external http and https traffic to route to the Zscaler IPsec tunnels.

 

Here is the configuration I've been playing with to get this work:

 

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
group-policy Zscaler-GRP internal
group-policy Zscaler-GRP attributes
        vpn-tunnel-protocol ikev1
!
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX general-attributes
default-group-policy Zscaler-GRP
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key *************
!
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX general-attributes
default-group-policy Zscaler-GRP
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key ***********
!
access-list zscaler_cryptomap extended deny ip object-group (LAN subnet) object-group (Remote Internal Traffic)
access-list zscaler_cryptomap extended permit tcp object-group (LAN subnet) any eq http
access-list zscaler_cryptomap extended permit tcp object-group (LAN subnet) any eq https
!
!
!
!
crypto ipsec ikev1 transform-set Zscaler-Transform esp-null esp-sha-hmac
!
crypto map zen-vpn-map 65000 match address zscaler_cryptomap
crypto map zen-vpn-map 65000 set connection-type originate-only
crypto map zen-vpn-map 65000 set peer XX.XX.XX.XX XX.XX.XX.XX
crypto map zen-vpn-map 65000 set ikev1 phase1-mode aggressive
crypto map zen-vpn-map 65000 set ikev1 transform-set Zscaler-Transform

 

Any help would be appreciated. Thank you.

Labels:
0 Helpful
3 Replies 3

mikael.lahtela
Level 4
Level 4

‎08-10-2018 03:45 PM

Hi,

Can you provide a packet trace from the ASA to see what is going on?
packet-trace input <lan.interface> tcp <lan.ip> 4444 8.8.8.8 80

br, Mikael
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎08-12-2018 06:06 AM

do you see phase 1 and 2 established?

 

sh cry ipsec sa?  

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

R0n1n
Level 1
Level 1
In response to Dennis Mink

‎08-13-2018 07:35 AM

Hi. Thank you for your replies. Please see the output requested from Packet Tracer below.

 

And no, I don't see the phase 1 or 2 tunnels up.

 

HTMK1ASA01# packet-tracer input inside tcp 10.12.0.51 50000 4.4.4.4 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <outside interface's next hop IP> using egress ifc  outside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.12.0.51 using egress ifc  inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp object-group HTMK1 (LAN) any object-group <www traffic>
object-group network HTMK1
 description: Local subnet <name>
 network-object 10.12.0.0 255.255.240.0
object-group service WEB tcp
 port-object eq ftp-data
 port-object eq ftp
 port-object eq citrix-ica
 port-object eq 3128
 port-object eq 8000
 port-object eq 444
 port-object eq 10000
 port-object eq 10020
 port-object eq www
 port-object eq https
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
 nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 10.12.0.51/50000 to <outside interface>/50000

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic HTMK1 interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 295, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful
Customers Also Viewed These Support Documents