Addd an inbound acl permitting udp 500.
With regards Kings On Mon, May 21, 2012 at 2:59 AM, Eugene Pefti <[email protected]>wrote: > Hello guys,**** > > I kindly ask for your fresh pair of eyes to help me understand what’s > wrong with IPSec traffic traversing the ASA.**** > > The setup is trivial:**** > > ** ** > > **(1.1.1.1 **– loopback0) R1 ----(inside)---- ASA ----- (outside) ------ > R6 (6.6.6.6 – loopback0)**** > > ** ** > > The task asks to configure a tunnel between R1 and R6 but the specific > requirement is not to use any ACL on ASA to allow IPSec.**** > > Ok, I did everything that is required and I assume the solution should > work when the traffic is originated from R1 to R6 providing I have a > static mapping on ASA and “inspect ipsec-pass-thru” in the global policy.* > *** > > ** ** > > Static (inside,outside) 1.1.1.1 1.1.1.1**** > > policy-map global_policy**** > > class inspection_default**** > > inspect ipsec-pass-through**** > > ** ** > > Then an interesting things are observed. I originate ICMP traffic from R1 > sourcing it from loopback0, the tunnel comes up (at least I see QM_IDLE on > both routers in the ACTIVE state)**** > > I’m seeing that R6 sends ICMP replies to R1 loopback0 sourcing them from > loopback0 as well while I debug ICMP. But the ASA reports the following:** > ** > > **** > > %ASA-4-106023: Deny protocol 50 src outside:6.6.6.6 dst inside:1.1.1.1 by > access-group "OUTSIDE-INBOUND" [0x0, 0x0]**** > > ** ** > > Which absolutely doesn’t make sense as there’s “ipsec-pass-through” > inspection configured. Note that it doesn’t work (counters are 0)**** > > ** ** > > ASA1(config)# sh service-policy global inspect ipsec-pass-thru **** > > ** ** > > Global policy: **** > > Service-policy: global_policy**** > > Class-map: inspection_default**** > > Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 0, drop > 0, reset-drop 0**** > > ** ** > > Then goes the most interesting part. I temporarily allow ESP traffic on > ASA outside interface with an ACL**** > > ** ** > > access-list OUTSIDE-INBOUND extended permit esp any any**** > > ** ** > > And of course the traffic between routers loopback starts flowing > flawlessly. Then I remove the above said ACL. Pings still are being > exchanged between R1 and R6. Then I clear the crypto session on both > routers and start sending pings again. This time it works without an ACL > and what is the most important this time is that the IPSec inspection > starts working as well (see counters for the corresponding inspection > policy, I had them highlighted in *red*)**** > > ** ** > > ASA1(config)# sh service-policy global inspect ipsec-pass-thru ** > ** > > ** ** > > Global policy: **** > > Service-policy: global_policy**** > > Class-map: inspection_default**** > > Inspect: ipsec-pass-thru _default_ipsec_passthru_map, *packet 12*, > drop 0, reset-drop 0**** > > ** ** > > Can some please explain me why the ASA acts like that ? Why doesn’t the > “inspect ipsec-pass-through” rule kicks in in the first place? **** > > Eugene**** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
