VPN Through ASA - what to allow & what not ?

In vpn , how do we actually know what should be the interesting traffic...
    say , r4 , asa2 , r5 are there.. the gre tunnel should pass eigrp 45 multicast packets exchanging info abt loo.
    then how do we actually know what to allow/permit on ASA2 .. whether it is isakmp/500 or esp or gre..!!

 

Thank u in advance..!!

Comments

  • ISAKMP UDP port 500 is required to be allowed if you want the tunnel initiation to be allowed from either the inside or outside. Sometimes when natting you will want to add UDP port 4500.

    You need to allow ESP for the actual data. EIGRP in this case will be ESP encapsulated.

    if you don't want to open these pinholes with an ACL you can use the inspect ESP pass-through on a policy-map

  • Thank u qqabdal..

    that solves my issue..

    and one more thing ..I just need a confirmation if I'm right.. - gre is inspected on ASA only when its not encrypted by IPSec..! Is it ?

    and thanks once again

  • How can ASA inspect something it doesn't see? As data-plane traffic will be encapsulated into ESP or UDP-4500 this is what ASA will see, not GRE.

    Sent from my iPhone

    On Sep 2, 2013, at 6:15, ramu6390 <[email protected]> wrote:

    Thank u qqabdal..

    that solves my issue..

    and one more thing ..I just need a confirmation if I'm right.. - gre is inspected on ASA only when its not encrypted by IPSec..! Is it ?

    and thanks once again




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • GRE is not inspected by the ASA, you need to permit GRE with an ACL on your OUTSIDE interface

  • I have one more issue...

    the topology is......

    image

    The tunnel is between ASA1-R5 and ASA1-R4 (2 different tunnels)

    the isakmp and ipsec policies are aas follows

    for ASA1-R4 :

    isakmp-  psk = cisco

                 encry = des

                 hash = sha

                 gr = 2

    ipsec -    encry = esp/des

                 hash = esp/sha

    src network - 4.4.4.4 (loopback of R4)

    dst network - 1.1.1.1 (loo of R1)

    for ASA1-R5:

    isakmp-

                 psk = cisco

                 encry = 3des

                 hash =md5

                 gr = 2

    ipsec -    encry = esp/3des

                  hash = esp/md5

    src network - 5.5.5.5 (loopback of R5)

    dst network - 1.1.1.1 (loo of R1)

    ===============================================

    R1 has default route to ASA1 

    R4 , R5 have default routes to ASA2

    ASA1 & ASA2 have default routes to R2

    ===============================================

    for the phase-1 tunnel to come up ... I've configured static routes to 10.1.104.0 & 10.1.105.0 networks from R2

    also i've inspected ipsec-pass-thru in global_policy ..

    ===============================================

    even then I'm not able to ping from Loo1 to Loo4 / Loo5

    when I've turned on loggin on ASA2 , the message being displayed is

    %ASA-3-106010: Deny inbound protocol 50 src outside:192.168.1.10 dst inside-u.s:10.1.105.5

    ===============================================

    inspect ipsec-pass-thru .. will actually inspect udp/500 (isakmp) from outside/inside

    but will it not inspect the esp/50 ..??

    and also isakmp & esp are part of ipsec ..!! then why is that only udp/500 is being inspected..??

    with the above message I've put a hole in ASA2 with the ACL allowing esp from 192.168.1.10 to 10.1.105.5 / 10.1.104.4

    the problem was solved

    ....

    .

    .but the actual question is what function does ipsec-pass-thru do... does it only inspect udp/500 ??

    ...

    and what is the difference between port-number and protocol-number..??

     

    THANK YOU..!!

  • Are you labbing this in GNS3?  Maybe try on a real device.
    According to the doc-cd, for version 8.4/8.6:







    IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH
    (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list
    configuration to permit ESP and AH traffic and also provides security using timeout and max
    connections.

    Specify IPsec Pass Through inspection parameters to identify a specific map to use for defining the
    parameters for the inspection. Configure a policy map for Specify IPsec Pass Through inspection to
    access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You
    can set the per client max connections and the idle timeout in parameters configuration.

    NAT and non-NAT traffic is permitted. However, PAT is not supported. 





    There's also an example:







    The following example shows how to use access lists to identify IKE traffic, define an IPsec Pass Thru
    parameter map, define a policy, and apply the policy to the outside interface:

                        hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
    hostname(config)# class-map ipsecpassthru-traffic
    hostname(config-cmap)# match access-list ipsecpassthruacl
    hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
    hostname(config-pmap)# parameters
                        hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
    hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
    hostname(config)# policy-map inspection_policy
    hostname(config-pmap)# class ipsecpassthru-traffic
    hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
    hostname(config)# service-policy inspection_policy interface outside



    It should work as you described.
    -Dan

    On Sep 6, 2013, at 5:22 AM, ramu6390 <[email protected]> wrote:

    I have one more issue...

    the topology is......

    The tunnel is between ASA1-R5 and ASA1-R4 (2 different tunnels)

    the isakmp and ipsec policies are aas follows

    for ASA1-R4 :

    isakmp-  psk = cisco

                 encry = des

                 hash = sha

                 gr = 2

    ipsec -    encry = esp/des

                 hash = esp/sha

    src network - 4.4.4.4 (loopback of R4)

    dst network - 1.1.1.1 (loo of R1)

    for ASA1-R5:

    isakmp-

                 psk = cisco

                 encry = 3des

                 hash =md5

                 gr = 2

    ipsec -    encry = esp/3des

                  hash = esp/md5

    src network - 5.5.5.5 (loopback of R5)

    dst network - 1.1.1.1 (loo of R1)

    ===============================================

    R1 has default route to ASA1 

    R4 , R5 have default routes to ASA2

    ASA1 & ASA2 have default routes to R2

    ===============================================

    for the phase-1 tunnel to come up ... I've configured static routes to 10.1.104.0 & 10.1.105.0 networks from R2

    also i've inspected ipsec-pass-thru in global_policy ..

    ===============================================

    even then I'm not able to ping from Loo1 to Loo4 / Loo5

    when I've turned on loggin on ASA2 , the message being displayed is

    %ASA-3-106010: Deny inbound protocol 50 src outside:192.168.1.10 dst inside-u.s:10.1.105.5

    ===============================================

    inspect ipsec-pass-thru .. will actually inspect udp/500 (isakmp) from outside/inside

    but will it not inspect the esp/50 ..??

    and also isakmp & esp are part of ipsec ..!! then why is that only udp/500 is being inspected..??

    with the above message I've put a hole in ASA2 with the ACL allowing esp from 192.168.1.10 to 10.1.105.5 / 10.1.104.4

    the problem was solved

    ....

    .

    .but the actual question is what function does ipsec-pass-thru do... does it only inspect udp/500 ??

    ...

    and what is the difference between port-number and protocol-number..??

     

    THANK YOU..!!




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • What happens if you remove the ACL and initiate traffic from R4/R5 to R1? Does it work?

    (keep in mind that the inspection happens from the inside to outside, not the other way around)

    Let me know your findings.

  • So here is how it works:

         1. When inspect ipsec-pass-thru is configured, ASA inspects the control-plane of an IPsec session which is UDP 500 and if the peers negotiate to use ESP and not ESP-encapsulated-into-UDP-4500(case when a NAT device is in-between), it allows ESP traffic without you needing to create rules in your ACL's.

         2. However, depending on where the inspect is applied (global level or interface level) it will work only if traffic is initiated from the highest security level interface to the lowest security level interface, or both ways (even if traffic is initiated from lowest security level interface to highest security level interface).

         3. So in your case, because you probably use the global option it will only work from inside to outside, try configuring the policy at the outside interface and see if it works the other way around as well.

     

    Regards,

     

     

  • qqabdal ,

                  when I removed the ACL on ASA2 and initiated traffic from R4/R5 (Loo 4/5) to ASA1(to Loo1), the same message is being displayed on ASA2.

    If the ipsec-pass-thru inspection happens only one way from inside to outside , then what if the traffic is from outside through the tunnel..?? do we have to allow esp by an acl..??

    the config which artagel gave was working fine ..!!

    and can u tell me the diff between port-number and protocol-number..??

    thanks,

     

     

  • thanks cristian,

    and say if they ask the similar such thing in the exam , we can use either acl or policy-map to accomplish the task , right..??

    ..unless untill if they specify not to use a particular technology..!!

    thanks again..!!

  • thanks artagel, that was very helpful..!!

  • and artagel , is setting up max-clients and timeout a necessary thing..

    if not mentioned we can skip it right..??!!

  • Exactly, as long as you don't break any restrictions you are good to go as long as it works.

    Sent from my iPhone

    On Sep 6, 2013, at 20:41, ramu6390 <[email protected]> wrote:

    thanks cristian,

    and say if they ask the similar such thing in the exam , we can use either acl or policy-map to accomplish the task , right..??

    ..unless untill if they specify not to use a particular technology..!!

    thanks again..!!




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • That's only a example to show you what your other options are.

    Sent from my iPhone

    On Sep 6, 2013, at 20:46, ramu6390 <[email protected]> wrote:

    and artagel , is setting up max-clients and timeout a necessary thing..

    if not mentioned we can skip it right..??!!




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • and can u tell me the diff between port-number and protocol-number..??

    Look, I don't want to be rude, but how did you get to CCIE-level Security studies without previously learning the difference between protocol and port numbers?

  • Oh, that is just a feature you can add, it is not necessary.
    The big difference between what you did and the config that the DOC-CD has is that the DOC-CD config I gave you applies the pass-thru rule to the outside interface, meaning the router on the outside can initiate the ISAKMP and IPSEC negotiations.  Like someone said earlier, if it is just global, it'll only work from higher to lower, not the other way around.
    -Dan

    On Sep 7, 2013, at 2:47 AM, ramu6390 <[email protected]> wrote:

    and artagel , is setting up max-clients and timeout a necessary thing..

    if not mentioned we can skip it right..??!!




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

Sign In or Register to comment.