Cisco ASA Site to Site VPN Rules

I have two ASAs that have a site to site VPN tunnel between them. The tunnel is up and running, and the secondary ASA has the same sub interfaces setup on it as the primary (for disaster recovery)

My question is there is a service (tcp/5000) that needs to access a VLAN on the secondary ASA. I am unsure where I go about creating the ACL to permit this traffic.

Would this be considered on the outside interface IN?
LVL 6
fluk3dAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
So you already have ACLs in place to control the VPN traffic?
Could you elaborate a bit more on the setup, it's not quite clear to me yet.
fluk3dAuthor Commented:
Two ASAs Site to Site VPN

ASA (HQ)
192.168.1.0/24 ---> management interface
VLAN Servers (192.168.10.0/24)


ASA (Remote)
192.168.2.0/24  ---> management interface
VLAN Servers (192.168.20.0/24)

VLAN 192.168.10.0 needs to be able to communicate with VLAN Servers at Remote. However; There are VLANs on the primary unit that exist on the secondary identical in case this site failed over we would not have to re IP everything we could bring our servers over etc...

I am unsure where to create/place the ACL to allow the specified service to access the VLAN at the Remote Site.
Ernie BeekExpertCommented:
Ok. It depends on how things are set up at the moment. Could you post a (sanitized) config for us to have a look at? I think we should be able to point it out to you then.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

fluk3dAuthor Commented:
Unfortunately, I can't due to security requirements for the organization. If you could point me in the proper direction, or what area I should be looking at in the ASDM that would be great
Ernie BeekExpertCommented:
Clear, let's try it :)

Do you already have ACLs or ACEs that control what VPN traffic is allowed? Normally those should be on the outside interface.
Keep in mind that there also are ACLs to determine what is interesting traffic for the VPN (what matches goes in the tunnel) and what should be exempted from NAT. Normally a whole subnet should be in there and the specific traffic is defined in the ACL on the outside interface but it never hurts to check.
fluk3dAuthor Commented:
Thank you,

So in the ASDM looking on the Outside Interface (HQ) I do not see any matching address objects for my remote subnet

Looking at the Outside interface (Remote) there are no rules defined however there should be an implicit deny.

Strange thing is some workstations on VLAN Servers (HQ) can access VLAN Servers (Remote) however; majority can't. This leads me to believe there is some ACL which I'm trying to locate either on the remote/HQ ASA that is filtering this traffic.

So my question is, the Outbound interface on both ASAs where any type of ACL would be applied to accomplish said goal, or is there another location I should be looking?
gbblasterCommented:
The outside access list doesn´t normally filter what goes into the VPN tunnel because by the time the interface access-group checks the traffic it is already encrypted.

For outbound traffic every inbound access-group on the internal interfaces is checked first. So if you have very tight ACLs on your internal interfaces, and your problem is when traffic is going out, then the issue is that you have to allow that traffic to get into the firewall before it is encrypted.

If you need to permit traffic into the tunnel that is not part of the two original VLANs  you need to add it to the ACL applied to your tunnel:

According to what you explain above, you have a tunnel with traffic ACLs that should look like this:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0

In order to add one more subnet, it doesnt matter on wich interface it is, you need to add it to the traffic ACL:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN-Site-HQ permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0
access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.30.0 255.255.255.0
fluk3dAuthor Commented:
I think I found the ACL

If I look through the crytp map here is the config


crypto map HIDDEN-Map 2 match address OUTSIDE_cryptomap_1
crypto map HIDDEN-Map 2 set peer <HIDDEN IP>
crypto map HIDDEN-Map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map InternalSystems-Map 10 ipsec-isakmp dynamic InternalSystems-Dynmap
crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS

if I look at the ACL manager I can see that there is a ACL rule only allowing a certain VLAN over to the remote site.

Can you confirm?
gbblasterCommented:
correct, the match address command associates your VPN to traffic defined by the ACL OUTSIDE_cryptomap_1. On the command line you only need to do a show access-list OUTSIDE_cryptomap_1 and it´ll show you what will be encrypted through the VPN, if you need to add another subnet, then you need to add a new ACE on each side with the new traffic as I explained before.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fluk3dAuthor Commented:
Perfect thank you very much for explaining that to me. One last question however; I will award the points as you answered my initial question what does the following do?


crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS
fluk3dAuthor Commented:
Great help!
gbblasterCommented:
Normally that command is applied to the interface that either accepts VPN connections or makes VPN connections, since it is the command that associates a VPN configuration to an interface.  

By accepts VPN connections I mean an interface that is configured to accept VPN client connections for example.

By makes VPN connections I mean an interface that is the endpoint of a peer to peer VPN tunnel, such as the one that you have between your HQ and your remote site.

If an interface is not supposed to do either of the above then the line that assings the VPN configuration to the interface should not exist..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.