Solved

Cisco ASA Site to Site VPN Rules

Posted on 2012-03-29
12
540 Views
Last Modified: 2012-03-29
I have two ASAs that have a site to site VPN tunnel between them. The tunnel is up and running, and the secondary ASA has the same sub interfaces setup on it as the primary (for disaster recovery)

My question is there is a service (tcp/5000) that needs to access a VLAN on the secondary ASA. I am unsure where I go about creating the ACL to permit this traffic.

Would this be considered on the outside interface IN?
0
Comment
Question by:fluk3d
  • 6
  • 3
  • 3
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781604
So you already have ACLs in place to control the VPN traffic?
Could you elaborate a bit more on the setup, it's not quite clear to me yet.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37781623
Two ASAs Site to Site VPN

ASA (HQ)
192.168.1.0/24 ---> management interface
VLAN Servers (192.168.10.0/24)


ASA (Remote)
192.168.2.0/24  ---> management interface
VLAN Servers (192.168.20.0/24)

VLAN 192.168.10.0 needs to be able to communicate with VLAN Servers at Remote. However; There are VLANs on the primary unit that exist on the secondary identical in case this site failed over we would not have to re IP everything we could bring our servers over etc...

I am unsure where to create/place the ACL to allow the specified service to access the VLAN at the Remote Site.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781644
Ok. It depends on how things are set up at the moment. Could you post a (sanitized) config for us to have a look at? I think we should be able to point it out to you then.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37781669
Unfortunately, I can't due to security requirements for the organization. If you could point me in the proper direction, or what area I should be looking at in the ASDM that would be great
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37782163
Clear, let's try it :)

Do you already have ACLs or ACEs that control what VPN traffic is allowed? Normally those should be on the outside interface.
Keep in mind that there also are ACLs to determine what is interesting traffic for the VPN (what matches goes in the tunnel) and what should be exempted from NAT. Normally a whole subnet should be in there and the specific traffic is defined in the ACL on the outside interface but it never hurts to check.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782297
Thank you,

So in the ASDM looking on the Outside Interface (HQ) I do not see any matching address objects for my remote subnet

Looking at the Outside interface (Remote) there are no rules defined however there should be an implicit deny.

Strange thing is some workstations on VLAN Servers (HQ) can access VLAN Servers (Remote) however; majority can't. This leads me to believe there is some ACL which I'm trying to locate either on the remote/HQ ASA that is filtering this traffic.

So my question is, the Outbound interface on both ASAs where any type of ACL would be applied to accomplish said goal, or is there another location I should be looking?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Expert Comment

by:gbblaster
ID: 37782702
The outside access list doesn´t normally filter what goes into the VPN tunnel because by the time the interface access-group checks the traffic it is already encrypted.

For outbound traffic every inbound access-group on the internal interfaces is checked first. So if you have very tight ACLs on your internal interfaces, and your problem is when traffic is going out, then the issue is that you have to allow that traffic to get into the firewall before it is encrypted.

If you need to permit traffic into the tunnel that is not part of the two original VLANs  you need to add it to the ACL applied to your tunnel:

According to what you explain above, you have a tunnel with traffic ACLs that should look like this:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0

In order to add one more subnet, it doesnt matter on wich interface it is, you need to add it to the traffic ACL:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN-Site-HQ permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0
access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.30.0 255.255.255.0
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782751
I think I found the ACL

If I look through the crytp map here is the config


crypto map HIDDEN-Map 2 match address OUTSIDE_cryptomap_1
crypto map HIDDEN-Map 2 set peer <HIDDEN IP>
crypto map HIDDEN-Map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map InternalSystems-Map 10 ipsec-isakmp dynamic InternalSystems-Dynmap
crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS

if I look at the ACL manager I can see that there is a ACL rule only allowing a certain VLAN over to the remote site.

Can you confirm?
0
 
LVL 2

Accepted Solution

by:
gbblaster earned 500 total points
ID: 37782938
correct, the match address command associates your VPN to traffic defined by the ACL OUTSIDE_cryptomap_1. On the command line you only need to do a show access-list OUTSIDE_cryptomap_1 and it´ll show you what will be encrypted through the VPN, if you need to add another subnet, then you need to add a new ACE on each side with the new traffic as I explained before.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782999
Perfect thank you very much for explaining that to me. One last question however; I will award the points as you answered my initial question what does the following do?


crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS
0
 
LVL 6

Author Closing Comment

by:fluk3d
ID: 37783000
Great help!
0
 
LVL 2

Expert Comment

by:gbblaster
ID: 37783044
Normally that command is applied to the interface that either accepts VPN connections or makes VPN connections, since it is the command that associates a VPN configuration to an interface.  

By accepts VPN connections I mean an interface that is configured to accept VPN client connections for example.

By makes VPN connections I mean an interface that is the endpoint of a peer to peer VPN tunnel, such as the one that you have between your HQ and your remote site.

If an interface is not supposed to do either of the above then the line that assings the VPN configuration to the interface should not exist..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now