Hi Eugene.
I think it all comes down to firewall state table. If you have a UDP 500
entry in state table and have inspect ipsec=pass-throu configure, the
pass-throu will kick in, otherwise it will hit your inbound ACL.
In the example below on ASA I don't have any UDP500 or ESP allowed inbound
by the ACL.
ASA2# sh conn
13 in use, 23 most used
TCP outside 180.6.12.1:179 inside 180.6.59.5:54198, idle 0:00:36, bytes
552, flags UIO
ASA2#
Now I clear cry isakmp on my inside router and ping across the tunnel
ASA2#
ASA2# sh conn
18 in use, 23 most used
ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:00:04, bytes 496
ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:01:01, bytes 0
UDP outside 180.6.29.2:500 inside 180.6.59.5:500, idle 0:00:04, bytes 1504,
flags -
TCP outside 180.6.12.1:179 inside 180.6.59.5:54198, idle 0:00:55, bytes
590, flags UIO
ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:00:04, bytes 496
ESP outside 0.0.0.0 inside 0.0.0.0, idle 0:01:01, bytes 0
ASA2#
ASA2#
ASA2# sh service-policy global | in ipsec
Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 10, drop
0, reset-drop 0
Now I clear my connection table on ASA
ASA2# clear conn
4 connection(s) deleted.
ASA2#
ASA2# sh conn
12 in use, 23 most used
ASA2#
ASA2# sh conn
13 in use, 23 most used
TCP outside 180.6.12.1:58101 inside 180.6.59.5:179, idle 0:00:07, bytes
400, flags UIOB
ASA2#
And I ping across teh tunnel from inside router.
ASA2# %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst
inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst
inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst
inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst
inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst
inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0]
HTH
A.
On 21 May 2012 07:29, Eugene Pefti <[email protected]> wrote:
> Hello guys,****
>
> I kindly ask for your fresh pair of eyes to help me understand what’s
> wrong with IPSec traffic traversing the ASA.****
>
> The setup is trivial:****
>
> ** **
>
> **(1.1.1.1 **– loopback0) R1 ----(inside)---- ASA ----- (outside) ------
> R6 (6.6.6.6 – loopback0)****
>
> ** **
>
> The task asks to configure a tunnel between R1 and R6 but the specific
> requirement is not to use any ACL on ASA to allow IPSec.****
>
> Ok, I did everything that is required and I assume the solution should
> work when the traffic is originated from R1 to R6 providing I have a
> static mapping on ASA and “inspect ipsec-pass-thru” in the global policy.*
> ***
>
> ** **
>
> Static (inside,outside) 1.1.1.1 1.1.1.1****
>
> policy-map global_policy****
>
> class inspection_default****
>
> inspect ipsec-pass-through****
>
> ** **
>
> Then an interesting things are observed. I originate ICMP traffic from R1
> sourcing it from loopback0, the tunnel comes up (at least I see QM_IDLE on
> both routers in the ACTIVE state)****
>
> I’m seeing that R6 sends ICMP replies to R1 loopback0 sourcing them from
> loopback0 as well while I debug ICMP. But the ASA reports the following:**
> **
>
> ****
>
> %ASA-4-106023: Deny protocol 50 src outside:6.6.6.6 dst inside:1.1.1.1 by
> access-group "OUTSIDE-INBOUND" [0x0, 0x0]****
>
> ** **
>
> Which absolutely doesn’t make sense as there’s “ipsec-pass-through”
> inspection configured. Note that it doesn’t work (counters are 0)****
>
> ** **
>
> ASA1(config)# sh service-policy global inspect ipsec-pass-thru ****
>
> ** **
>
> Global policy: ****
>
> Service-policy: global_policy****
>
> Class-map: inspection_default****
>
> Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 0, drop
> 0, reset-drop 0****
>
> ** **
>
> Then goes the most interesting part. I temporarily allow ESP traffic on
> ASA outside interface with an ACL****
>
> ** **
>
> access-list OUTSIDE-INBOUND extended permit esp any any****
>
> ** **
>
> And of course the traffic between routers loopback starts flowing
> flawlessly. Then I remove the above said ACL. Pings still are being
> exchanged between R1 and R6. Then I clear the crypto session on both
> routers and start sending pings again. This time it works without an ACL
> and what is the most important this time is that the IPSec inspection
> starts working as well (see counters for the corresponding inspection
> policy, I had them highlighted in *red*)****
>
> ** **
>
> ASA1(config)# sh service-policy global inspect ipsec-pass-thru **
> **
>
> ** **
>
> Global policy: ****
>
> Service-policy: global_policy****
>
> Class-map: inspection_default****
>
> Inspect: ipsec-pass-thru _default_ipsec_passthru_map, *packet 12*,
> drop 0, reset-drop 0****
>
> ** **
>
> Can some please explain me why the ASA acts like that ? Why doesn’t the
> “inspect ipsec-pass-through” rule kicks in in the first place? ****
>
> Eugene****
>
> ** **
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com <http://www.platinumplacement.com/>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
