Hello guys,
I kindly ask for your fresh pair of eyes to help me understand what's wrong
with IPSec traffic traversing the ASA.
The setup is trivial:
(1.1.1.1 - loopback0) R1 ----(inside)---- ASA ----- (outside) ------ R6
(6.6.6.6 - loopback0)
The task asks to configure a tunnel between R1 and R6 but the specific
requirement is not to use any ACL on ASA to allow IPSec.
Ok, I did everything that is required and I assume the solution should work
when the traffic is originated from R1 to R6 providing I have a
static mapping on ASA and "inspect ipsec-pass-thru" in the global policy.
Static (inside,outside) 1.1.1.1 1.1.1.1
policy-map global_policy
class inspection_default
inspect ipsec-pass-through
Then an interesting things are observed. I originate ICMP traffic from R1
sourcing it from loopback0, the tunnel comes up (at least I see QM_IDLE on both
routers in the ACTIVE state)
I'm seeing that R6 sends ICMP replies to R1 loopback0 sourcing them from
loopback0 as well while I debug ICMP. But the ASA reports the following:
%ASA-4-106023: Deny protocol 50 src outside:6.6.6.6 dst inside:1.1.1.1 by
access-group "OUTSIDE-INBOUND" [0x0, 0x0]
Which absolutely doesn't make sense as there's "ipsec-pass-through" inspection
configured. Note that it doesn't work (counters are 0)
ASA1(config)# sh service-policy global inspect ipsec-pass-thru
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 0, drop 0,
reset-drop 0
Then goes the most interesting part. I temporarily allow ESP traffic on ASA
outside interface with an ACL
access-list OUTSIDE-INBOUND extended permit esp any any
And of course the traffic between routers loopback starts flowing flawlessly.
Then I remove the above said ACL. Pings still are being exchanged between R1
and R6. Then I clear the crypto session on both routers and start sending pings
again. This time it works without an ACL and what is the most important this
time is that the IPSec inspection starts working as well (see counters for the
corresponding inspection policy, I had them highlighted in red)
ASA1(config)# sh service-policy global inspect ipsec-pass-thru
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 12, drop 0,
reset-drop 0
Can some please explain me why the ASA acts like that ? Why doesn't the
"inspect ipsec-pass-through" rule kicks in in the first place?
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
