VPN help needed

Started by heath, April 29, 2016, 03:44:30 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

Reggle

#15
May 04, 2016, 02:35:48 PM
Quote from: DanC on May 04, 2016, 06:43:02 AM
Quote from: Dieselboy on May 03, 2016, 08:43:00 PM
Quote from: Reggle on April 29, 2016, 06:02:49 PM
As you described it, you sent a packet from branch to headend through the VPN expecting a response. However, as I read your headend config, you don't have any firewall policy on Outside, meaning it will drop all traffic on the outside interface. If a VPN encrypted packet is received, it's probably being decrypted, doesn't match a policy, and it dropped. Hence no reply.
Either make a policy for it, or try a connection (ping?) the other way around and see if the numbers on the counters change places as well.

I've never seen or tested this. Would the ASA not route traffic and prevent traffic from the inside to the outside zone and prevent TCP connections establishing with this set up? I mentioned this because when VPN is configured on the ASA it seems to put it secret allow rules from outside to a hidden "self" zone to allow the VPN to work without configuring specific allow rules on the access list.

You're right DieselBoy, you don't need specific ACE's to allow ISAKMP and ESP, that's allowed by default when you enable the cryptomap and IKE on the interface. I seem to remember though that the ASA won't pass any traffic from a lower sec zone to higher without an ACL so not sure whether this would apply here or not. By default the ASA bypasses ACL's for VPN traffic so I guess it's just down to the order it processes the logic.
I wasn't talking about IKE or IPsec traffic to itself, but traffic inside the tunnel.

Dieselboy

#16
May 05, 2016, 12:48:05 AM
Quote from: deanwebb on May 04, 2016, 09:38:40 AM
Quote from: Dieselboy on May 03, 2016, 08:40:34 PM
If you use Cisco ZBFW on IOS then it might be the firewall that one time.

ZBFW on IOS is not a firewall. It's a stopgap measure, due to a business being too impoverished or too stingy to lay out money for a proper firewall.

:lol:

Where's that image "it IS a firewall!" Although I mention my comment because sometimes it blocks silly things that it shouldn't do. Like SIP traffic for example (which is a bug).

deanwebb

#17
May 05, 2016, 10:46:47 AM
Quote from: Dieselboy on May 05, 2016, 12:48:05 AM
Where's that image "it IS a firewall!"

I don't believe that such an image exists. If it did, it would be technically inaccurate. It's not the firewall's fault that programmers use protocols that it can't handle correctly, such as SIP or OSPF.

:steamtroll:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages 1 2
User actions