Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
4
Replies

Crypto map ACL's not matching interesting traffic

Michael Marzol
Level 1
Level 1

‎04-04-2017 04:50 AM

Router A internal network 10.1.1.0 needs to access internet network 162.143.0.0. IPsec configuration tells the router to run it through the tunnel which terminates on internal interface 10.2.1.1 of a remote head end ASA with an external facing interface to network 162.143.0.0. This ASA is behind Router B.

Internal 10.1.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 10.2.1.1<--ASA--> 162.143.0.0

My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use.

ASA:

object network ANNEX_10.1.1.0
 subnet 10.1.1.0 255.255.255.0
!
object network XXXX_network_162.143.0.0
  subnet 162.143.0.0 255.255.0.0
!

access-list TEST_ENCRYPTION_TO_ANNEX extended permit ip object XXXX_network_162.143.0.0 object ANNEX_10.1.1.0

Router:

ip access-list extended XXXX_VPN
 permit ip 10.1.1.0 0.0.0.255 162.143.0.0 0.0.255.255 log
!
crypto map XXXX_CMAP 10 ipsec-isakmp
 set peer 10.2.1.1
 set transform-set XXXX_TSET
 match address XXXX_VPN
!
interface GigabitEthernet0/0.60
 description XXXX_VPN_TEST
 encapsulation dot1Q 60
 ip address 10.1.1.1 255.255.255.0
 crypto map XXXX_CMAP

Any help appreciated,

-Mike

Labels:
0 Helpful
4 Replies 4

Piyush Jain
Level 1
Level 1

‎04-04-2017 05:22 AM

HI Mike, 

Can you please clarify this statement.

"My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use."

Does this mean that, when you use 'Permit ip any any' statement, then you are trying to access 162.143.X.X subnet from router A internal network 10.1.1.X which makes tunnel to come up ? Or you are accessing the subnet from some other subnet ?

Do you have the required routing in place ? can you check if you have the route on Router A for 162.143.X.X subnet with exit interface as Gi0/0.60 ?

0 Helpful

SemtribeAdmin
Level 1
Level 1
In response to Piyush Jain

‎04-04-2017 05:58 AM

Hi Piyush,

Thank you for the prompt response. 

1.

When I use "permit ip any any" and source a ping from interface Gi0/0.60 (10.1.1.1) to     162.143.0.0 the tunnel comes up. Although I can't reach the 162.143.0.0 network yet, I think that may be a NAT or other Phase 2 issue.

2.

There is an existing redistributed route to that network, but not through the tunnel. I assumed the crypto map on the interface would supersede any other routes and automatically force traffic from 10.1.1.0 destined for 162.143.0.0 through the tunnel. Is that not the case?

Thank you again!

-Mike

0 Helpful

Piyush Jain
Level 1
Level 1
In response to SemtribeAdmin

‎04-04-2017 06:24 AM

Mike,

I don't think, Crypto Map can enforce the routing table though PBR can do.

As i know you have to route the traffic manually for 160.143.X.X with exit interface Gi0/0.60. 

I have a curiosity that, why you are making a IPSec tunnel on Private network, when you already have MPLS-VPN in place.

0 Helpful

SemtribeAdmin
Level 1
Level 1
In response to Piyush Jain

‎04-04-2017 06:31 AM

Thank you. I will try to add a PBR policy to see if that works. MPLS does not inherently provide encryption which is a requirement for the particular traffic we're trying to route across it.

0 Helpful
Customers Also Viewed These Support Documents