Vpn – How does an ASA view packets coming from a remote site-to-site peer? As inside or outside

cisco-asavpn

I'm trying to test ACL's coming inbound from a remote peer site (using packet-tracer) (IPSec site to site VPN) and I wanted to know what interfaces ACL's are checked in this case and which interface I use for packet-tracer command?

If incoming IP's are coming in over a site-to-site tunnel do they hit the inside interface's ACL's? Thanks in advance!

Best Answer

They originate on the outside interface. This is one of my NAT entries for an international site connected via L2L:

nat (inside-office,ISPA) source static Corporate Corporate destination static France France no-proxy-arp route-lookup

ISPA -> translates to outside for most people, 0 security interface

Corporate -> object-group network containing the local/MPLS subnets

France -> object-group network containing the remote site subnets

This applies to the ACLs as well. However you will need to use:

no sysopt connection permit-vpn

Otherwise the VPN traffic will bypass the ACLs.

However you can use a VPN filter instead of placing ACLs on the interface and avoid turning off the sys opt connection permit-vpn option.

Example may be found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

Related Solutions

Cisco – Routing from IPSec VPN1 to IPSec VPN2 through HQ

Considering you have the IPSec tunnels up and running, that's half the battle, the other half is getting your Fortinet HQ to act as an Internet transport "between" hubs.

With the Forinet you can use either the Policy-Based or Route-Based VPN to enable communication between the spokes.

For a Policy-Based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.

To define the VPN concentrator 1. At the hub, go to VPN > IPsec > Concentrator and select Create New. 2. In the Concentrator Name field, type a name to identify the concentrator. 3. From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow. 4. Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator. 5. Select OK.

For a Route-Based hub-and-spoke VPN allowing communication between ONLY two spokes.

• Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.

To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. 1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see “Defining policy addresses” on page 59. 2. Go to Policy & Objects > Policy > IPv4 and select Create New. 3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 4. Enter the settings and select OK.

"Incoming Interface" Select the IPsec interface that connects to Spoke 1. "Source Address" Select the address of the private network behind Spoke 1. "Outgoing Interface" Select the IPsec interface that connects to Spoke 2. "Destination Address" Select the address of the private network behind Spoke 2. "action" Select ACCEPT. "Enable NAT" Enable.

Cisco ASA – Remote Users Cannot Access Site-to-Site Tunnel

Got a response on the cisco forums that solved my problem.

you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT

Best Answer

Related Solutions

Cisco – Routing from IPSec VPN1 to IPSec VPN2 through HQ

Cisco ASA – Remote Users Cannot Access Site-to-Site Tunnel

Related Topic