Crypto ACL question

Hello

I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.

Two of the rays also have an IPSec VPN between them.

The hub site connects to a WAN.

The sites of two rays have the following ranges

Spoke 1 = 10.154.10.0/24

Spoke 2 = 10.156.10.0/24

Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.

I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.

If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?

So we talked 1.

allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0

IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0

outside_map 100 ipsec-isakmp crypto map
card crypto outside_map 100 match address to-speaks-2
card crypto outside_map 100 peer set 1.2.3.4
transform-set set card crypto outside_map 100 standard
outside_map 200 ipsec-isakmp crypto map
card crypto outside_map 200 correspondence address to hub
peer set card crypto outside_map 200 8.9.10.11
transform-set set outside_map 200 crypto card standard

Any thoughts?

Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL

Tags: Cisco Security

Similar Questions

Crypto ACL entries setting

Hello

It is only important that the entries on a crypto ACL are identical on both ends or the order in which they were seized of questions too? I mean, for example:

At one end:

A-> B

A-> C

On the other hand:

C-> A

B-> A

What is a reason for the failure?

Thank you!

Guido

Guido,

The crypto ACL should be identical, i.e. of the mirror of the other images, but the order is not important.

Kind regards

Arul

* Rate pls if it helps *.

Cisco asa 9.1: crypto acl - order, order of operations,.

Hello

Let's say we have the following configuration

VPN1 list extended access permitted ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

card crypto mymap 10 correspondence address vpn1

card crypto mymap 10 peers set x.x.x.x

access-list extended 192.168.1.0 ip VPN2 allow 255.255.255.0 10.1.1.0 255.255.255.0

mymap 20 match address vpn2 crypto card

card crypto mymap 20 peers set y.y.y.y

In the above example, what happens if you intend to send a packet to a host on the 10.1.1.x and her counterpart that x.x.x.x is down (not SA).

If Asa will verify that the SA is down or away he starts the process of the next crypto access list according to the sequence number of crypto card? or simply drag the package?

If Asa trial next crypto map entry/crypto acl and that if no matching ACL? Packets are sent as clear text?

Thank you explantion

Peter

Hi Peter,.

This would work if the first tunnel is down and there is not SA for her.

However, it is not recommended to overlap crypto ACL.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Disable Split Tunneling - SAs are not when I change crypto ACL

Hello!

When I change my ACL Crypto I receive an error message in phase I: "PROPOSAL_NOT_CHOSEN NOTIFIER' of IKE. I do this to disable the ST and get all the hollow tunnel traffic. Please see the config below:

crypto ISAKMP policy 10

md5 hash

preshared authentication

life 3600

ISAKMP crypto key cisco address x.x.x.x

!

!

Crypto ipsec transform-set esp - the esp-hmac-md5 ENCRYPTION

!

crypto map ipsec-isakmp CLIENT 1

defined peer x.x.x.x

game of transformation-CRYPTO

match address 115

!

access-list 115 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 115 deny ip any one

I changed the ACL 115 to so I can disable split tunneling, and it looks like this:

access-list 115 permit ip 10.10.10.0 0.0.0.255 any

access-list 115 deny ip any one

What is a failure? I have donthink the crypto ACL must be the same?

OK, you use a card dynamic encryption on your head just as I suggested, so that's fine. What you have done, which is causing your problem (and usually causes more problems than it's worth), is to assign an access list to the dynamic encryption card. It is not necessary, because with a dynamic encryption the router head card accept any model of traffic the remote router sends.

In your case since you changed the remote router to be 'all', it is no longer maps to the 115 ACL on the head and now is failing.

Way easier around it is simply to remove the 'match 115' address card dynamic encryption on the head. This will not affect any of your other tunnels and allow the remote router to establish a tunnel.

The exact commands you would use are as follows:

> crypto dynamic-map PERSONAL 10

> no address for correspondence 115

Crypto ACL

Hello

Any body knows if it s possible to configure the service in crypto ACL?

Something like that:

Crypto list access permit tcp host 1.1.1.1 1.1.1.1 eq 23

How will be the crypto ACL on the other side?

I apologise for the misunderstanding what kind of device you have.

with pix v6.x, you can disable the command "sysopt connection permit-ipsec. When this command is enabled (on by default), pix will ignore any acl with encrypted traffic.

so to disable this command, create an inbound acl, apply the acl to the external interface, and let the No. - nat and crypto such acl what.

for example

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 allow ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 111 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 23

(Inside) NAT 0-list of access 101

Access-group 111 in external interface

myvpn 10 ipsec-isakmp crypto map

correspondence address card crypto myvpn 10 120

card crypto myvpn 10 set by peer

card crypto myvpn 10 transform-set RIGHT

On the basic ACL question

I have a few question ACL. I'm not clear on the source address and the destination address in the following cases.

Case 1

My IP WAN1 is 1.1.1.1, my FTP server is 192.168.1.2 port 23

If I have access to FTP from internet, use ftp://1.1.1.1:23, so what's my IP ACL of source and destination IP? 1.1.1.1 is source? destination is 192.168.1.2? or any?

Internet-(Outside 1.1.1.1) ASA (inside 192.168.1.1) - FTP (192.168.1.2)

Case 2

My WAN1 is always 1.1.1.1 and FTP is 192.168.1.2 port 23

If I use the ftp://1.1.1.1:8023internet FTP access, what the ACL source IP address and destination?

I tested in both cases = any source and destination = everything is OK.

But I confused. I still think the Source address is IP WAN1.

Hello

You access the server FTP from the Internet and most likely, you won't know what ip address you will be source. In this case, your source ip address will be everything. If you know the ip address on the Internet that will have access to your FTP server, and then you specify it as the source. You access list will be as follows:

access-list extended 100 permit tcp any host 1.1.1.1 eq 21

access-list extended 100 permit tcp any host 1.1.1.1 eq 20

or

access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

(if you know the network or host who will have ftp access)

You must also make sure that you have configured static NAT and inspection of the request to your FTP server

Thank you

John

ASA ACL question

I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

For example:

Access-List Corporate1 permit tcp any any eq www

Access-List permits Corporate1 tcp everything any https eq

Access list ip Inside_Out allow a whole

Access-group Coprorate1 in interface outside

Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

-Jon

Working with ACLs imply always two steps:
1. You configure the ACL (with possibly multiple lines but the same name).
2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.
(If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

In your example:

If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one
```
 sh run | inc Inside_Out
```
If the output shows only the ACL lines, it is unused and can be removed.
```
 clear configure access-list Inside_Out
```
Or it is but not used must be used, and then apply the ACL for the desired purpose.

Site to site VPN ASA2ASA funny crypto ACL behavior

Hello

I use a VPN site-to site between two ASAs. It works but it should not work, in my opinion, there is a bug. The thing is that when I set the traffic is encrypted in an ACL, this traffic is denied and the tunnel doen't work. If I remove the ACL entries, I'm really interested in encryption, it works...

Thus, for example.

I affermirai a tunnel between the two ASAs and specify

access allowed extended VPN ip host 172.16.0.60 list 172.20.24.60

colt_map card crypto 20 matches the VPN address

card crypto test_map 20 peers set 1.1.1.1
test_map crypto 20 card value transform-set TEST
3600 seconds, duration of life card crypto test_map 20 set - the security association
card crypto test_map 20 set security-association life kilobytes 4608000

When I have it, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:

VPN access list extended deny ip host 172.16.0.60 172.20.24.60

access allowed extended VPN ip host 172.16.0.59 list 172.20.24.59

Can I get a communication between 172.16.0.60 172.20.24.60 of the host, but not between 172.16.0.59 the host 172.20.24.59.

It seems very weird to me. I was wondering if anyone had this behaviour before or she could explain it?

Thanks in advance.

Yes.

In Janan all traffic VPN is not checked against the external ACL because of a single command: sysopt connection permit VPN

You can see if this command is enabled by practice: sh run all the sysopt

If you remove this command: no sysopt permit vpn connection

then, all VPN traffic is checked against the ACL interface (and you can only allow what you need).

A better approach is to let the sysopt connection permit-vpn default and create a vpn-filter ACL that is applied to group policy for tunnel groups you need.

Federico.

Inbound and outbound ACL question

I want to restrict inbound and outbound traffic with access-lists on my PIX 515. May be this is a stupid question, but I don't know how the acl pix treatment directions of traffic. Let's say that I encouraged in traffic ntp to the outside to the inside host inbound_acl, I need to open port ntp also in the outbound_acl pass the ntp response?

Is it the same for the other direction (inside origin traffic)?

Thanks for any response.

Hello

If you open port NTP of outside inside the host, PIX will maintain this session state and will return by the hosts inside circulation. The default is no ACL out (ACL equivalent to entering on the inside of the interface). The statefull inspection rule is the same for all directions/interfaces.

Thank you

Nadeem

Crypto ACL remote Edition

Hello

I have a some 837 with an IPsec VPN to HQ.

I need to add an additional network to ACL crypto on the 837. Unfortunately, the previous administrator left a refusal at the end of the ACL. So I really need to replace it. I have only a remote with the router connectivity.

On a router to test, I tried to remove the access list (no ip access-list ext vpndst) and then lost all access to the router (inside and outside address). Only a relaod would work.

What is the best way to change the ACL of the Crypto remotely?

Hello

If there is an ACL name, just change it...

SH-access list vpndst (take the deny any any line number)

ext vpndst IP access list

No # (#= line number of the deny)

You can also put your order in a text file and copy them into the flash. After an errand flash copy, it will merge the config.

ASA "route inside 0 0 192.168.1.1 by tunnel" interface ACL question

Hello

Small question around the road inside 0.0.0.0 0.0.0.0 192.168.1.2 in tunnel command.

Do you need to add a u-turn traffic within the ACL interfaces (for example internet related http traffic) or 'same-security-traffic permit intra-interface' negates the need of this?

So if my site remote vpn outside is 10.1.1.0/24 should I add entering permitted statements for the 10.1.1.0/24 inside my interface.

Thank you

same-security-traffic permit intra-interface allows then-input-output traffic on a single interface

allowed incoming 10.1.1.0/24 statement in the list ACL allows traffic (output - then-) penetration on a single interface, but you must disable the RPF check

ACL question

I plan to put this ACL inside interface to the following ports prevent out of the ' net. I do not want to interrupt the other IP traffic and hoped just a validation test to ensure I have make it a law. I wouldn't ruin my inside interface.

access-list 130 tcp refuse any any eq 135

access-list 130 deny udp any any eq 135

access-list 130 deny udp any any eq netbios-ns

access-list 130 deny udp any any eq netbios-dgm

access-list 130 tcp refuse any any eq 138

access-list 130 tcp refuse any any eq netbios-ssn

access-list 130 tcp refuse any any eq 445

access-list 130 tcp refuse any any eq 593

access-list 130 tcp refuse any any 3127 3199 Beach

access-list 130 ip allow a whole

I don't know if I should put the "permit ip any any" at the end of the ACL or early.

the entry that allows any one must be placed at the end of the acl, as the acl works in order.

RDP ACL question

Hey everybody! Currently, I encountered a problem. I have set up for a RDP client and it works when we reached the WAN IP on port 3389. However, it works for everyone and not only for our network (were an ISP with a 23 network that we work from the desktop). I want only our network in order to control remotely on the server, we have put in place on the client's site.

It's the ACL, I have set up on the WAN interface by using "ip access-group 100 in ' but it does not work, and I don't really know why. It should allow us in, then block everyone. No idea why its not working? When I apply it, no one can remote on this server.

access-list 100 permit tcp 0.0.1.255 X.X.X.X host 192.168.1.4 eq 3389

access-list 100 tcp refuse any any eq 3389

access ip-list 100 permit a whole

What is the subnet configured on WAN?

What is the address of the RDP server used to connect?

A private ip address or pubblic?

Try changing the with the pubblic ip 192.168.1.4.

Kind regards.

RVS4000 Firewall ACL Question

I work to install and configure a RVS4000 for a friend and wanted to check my understanding of the firewall section. He by default the firewall allows traffic from any source to any destination, including Wan. I realize with NAT, this isn't a huge concern / should not be the case... but I tend to prefer the highest standards rather than more flexible.

I wanted to make sure that it permits launched in-house traffic outgoing and inbound external traffic dropped, so I created the rules as an attachment shows. I look at this properly? Is the firewall ACL section to implement a dynamic firewall or what a pure ACL and the rule of the last of the WAN is required for the return of traffic which has already been in the NAT search engine?

If someone could help me please clear this one small detail I would greatly appreciate.

Thanks in advance.

The ACL is just this ACL. The rules that you are fine, the difference with your implementation and the default value is that you explicitly deny traffic; that is not an idea of bed. On that note, this does not mean that traffic has been explicitly allowed before (default configuration).

Before the creation of all the rules are a "deny an entire" is already in place but not displayed. This is typical routers small businesses and consumers. The only thing I would change is to supplement the subnet, right on it "any."

I hope this helps.

ASA5505 - supernet crypto ACL

Hello

One of my clients has a corporate network consisting of 4 ASA5505s. The network looks like this:

(HUB, 192.168.9.0/24)

^                              ^                               ^

^                              ^                               ^

(speak, 4.0/24)   (speak, 8.0/24)   (speak, 12.0/24)

Configuration star where we want that all private networks to be able to communicate with each other. Some dynamic l2l other tunnels are static l2l.

I was wondering is it possible for the Tunnel ACL to use great networks?

For example on the rays do something like:

access-list extended 100 permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.0.0

As all of our networks are 192.168.x.x subnets? We want to avoid having to update all the rays, if we introduce another site in the VPN.

And on the hub, something like:

permit to_site1 to access extended list ip 192.168.0.0 255.255.0.0 192.168.4.0 255.255.255.0

permit to_site2 to access extended list ip 192.168.0.0 255.255.0.0 192.168.8.0 255.255.255.0

So, we do not have to add a new site is added to each time access lists?

I was wondering if this would work, or would be considered best practice.

Thanks in advance.

It should work.

Crypto ACL question

Similar Questions

Maybe you are looking for