Just forgot to post the final bit :-) And we see the outgoing ESP connection but no corresponding UDP 500 one, so there is no proper state and packets are getting dropped.
ASA2# sh conn 14 in use, 23 most used ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:00:04, bytes 620 TCP outside 180.6.12.1:58101 inside 180.6.59.5:179, idle 0:00:30, bytes 552, flags UIOB Cheers A. On 21 May 2012 15:22, Alexei Monastyrnyi <[email protected]> wrote: > Hi Eugene. > > I think it all comes down to firewall state table. If you have a UDP 500 > entry in state table and have inspect ipsec=pass-throu configure, the > pass-throu will kick in, otherwise it will hit your inbound ACL. > > In the example below on ASA I don't have any UDP500 or ESP allowed inbound > by the ACL. > > ASA2# sh conn > 13 in use, 23 most used > TCP outside 180.6.12.1:179 inside 180.6.59.5:54198, idle 0:00:36, bytes > 552, flags UIO > ASA2# > Now I clear cry isakmp on my inside router and ping across the tunnel > > > ASA2# > ASA2# sh conn > 18 in use, 23 most used > ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:00:04, bytes 496 > ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:01:01, bytes 0 > UDP outside 180.6.29.2:500 inside 180.6.59.5:500, idle 0:00:04, bytes > 1504, flags - > TCP outside 180.6.12.1:179 inside 180.6.59.5:54198, idle 0:00:55, bytes > 590, flags UIO > ESP outside 180.6.29.2 inside 180.6.59.5, idle 0:00:04, bytes 496 > ESP outside 0.0.0.0 inside 0.0.0.0, idle 0:01:01, bytes 0 > ASA2# > ASA2# > ASA2# sh service-policy global | in ipsec > Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 10, > drop 0, reset-drop 0 > > Now I clear my connection table on ASA > > ASA2# clear conn > 4 connection(s) deleted. > ASA2# > ASA2# sh conn > 12 in use, 23 most used > ASA2# > ASA2# sh conn > 13 in use, 23 most used > TCP outside 180.6.12.1:58101 inside 180.6.59.5:179, idle 0:00:07, bytes > 400, flags UIOB > ASA2# > > And I ping across teh tunnel from inside router. > > ASA2# %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst > inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0] > %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst > inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0] > %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst > inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0] > %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst > inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0] > %ASA-4-106023: Deny protocol 50 src outside:180.6.29.2 dst > inside:180.6.59.5 by access-group "OUTSIDE_IN" [0x0, 0x0] > > HTH > A. > > > On 21 May 2012 07:29, Eugene Pefti <[email protected]> wrote: > >> Hello guys,**** >> >> I kindly ask for your fresh pair of eyes to help me understand what’s >> wrong with IPSec traffic traversing the ASA.**** >> >> The setup is trivial:**** >> >> ** ** >> >> **(1.1.1.1 **– loopback0) R1 ----(inside)---- ASA ----- (outside) >> ------ R6 (6.6.6.6 – loopback0)**** >> >> ** ** >> >> The task asks to configure a tunnel between R1 and R6 but the specific >> requirement is not to use any ACL on ASA to allow IPSec.**** >> >> Ok, I did everything that is required and I assume the solution should >> work when the traffic is originated from R1 to R6 providing I have a >> static mapping on ASA and “inspect ipsec-pass-thru” in the global policy. >> **** >> >> ** ** >> >> Static (inside,outside) 1.1.1.1 1.1.1.1**** >> >> policy-map global_policy**** >> >> class inspection_default**** >> >> inspect ipsec-pass-through**** >> >> ** ** >> >> Then an interesting things are observed. I originate ICMP traffic from R1 >> sourcing it from loopback0, the tunnel comes up (at least I see QM_IDLE on >> both routers in the ACTIVE state)**** >> >> I’m seeing that R6 sends ICMP replies to R1 loopback0 sourcing them from >> loopback0 as well while I debug ICMP. But the ASA reports the following:* >> *** >> >> **** >> >> %ASA-4-106023: Deny protocol 50 src outside:6.6.6.6 dst inside:1.1.1.1 by >> access-group "OUTSIDE-INBOUND" [0x0, 0x0]**** >> >> ** ** >> >> Which absolutely doesn’t make sense as there’s “ipsec-pass-through” >> inspection configured. Note that it doesn’t work (counters are 0)**** >> >> ** ** >> >> ASA1(config)# sh service-policy global inspect ipsec-pass-thru **** >> >> ** ** >> >> Global policy: **** >> >> Service-policy: global_policy**** >> >> Class-map: inspection_default**** >> >> Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 0, >> drop 0, reset-drop 0**** >> >> ** ** >> >> Then goes the most interesting part. I temporarily allow ESP traffic on >> ASA outside interface with an ACL**** >> >> ** ** >> >> access-list OUTSIDE-INBOUND extended permit esp any any**** >> >> ** ** >> >> And of course the traffic between routers loopback starts flowing >> flawlessly. Then I remove the above said ACL. Pings still are being >> exchanged between R1 and R6. Then I clear the crypto session on both >> routers and start sending pings again. This time it works without an ACL >> and what is the most important this time is that the IPSec inspection >> starts working as well (see counters for the corresponding inspection >> policy, I had them highlighted in *red*)**** >> >> ** ** >> >> ASA1(config)# sh service-policy global inspect ipsec-pass-thru * >> *** >> >> ** ** >> >> Global policy: **** >> >> Service-policy: global_policy**** >> >> Class-map: inspection_default**** >> >> Inspect: ipsec-pass-thru _default_ipsec_passthru_map, *packet 12*, >> drop 0, reset-drop 0**** >> >> ** ** >> >> Can some please explain me why the ASA acts like that ? Why doesn’t the >> “inspect ipsec-pass-through” rule kicks in in the first place? **** >> >> Eugene**** >> >> ** ** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
