Cisco ASA VPN - stateful TCP connections fail
Posted on 2009-12-21
Recently built a site-to-site VPN with a business partner through my Cisco ASA 5510 (running 8.x). The biz partner is providing services to us, so traffic is essentially one-way; it will always be initiated by us.
Using ASDM, I created the VPN using their endpoint and the previously-agreed upon parameters (protected networks, etc etc etc). The tunnel comes up after the first packet.
I created a group policy that includes an extended access list that permits traffic from our network to theirs, only. For sake of argument, let's say that I am accessing a web server at their site on port 80.
TCP packets fail. That is, I get an error in the log ("Inbound TCP connection denied from [my IP address/highport] to [their IP address/80] flags SYN on interface Inside") and I receive a RST packet on the client side almost immediately.
If I modify the access list such that it explicitly permits the return traffic (i.e., any port with a 'source' of port 80), it works flawlessly (after tearing down the VPN).
Why is this? Either Cisco isn't doing something very basic (supporting stateful TCP across VPN connections) or I am missing something.