How does an ASA view packets coming from a remote site-to-site peer? As inside or outside?

  • I'm trying to test ACL's coming inbound from a remote peer site (using packet-tracer) (IPSec site to site VPN) and I wanted to know what interfaces ACL's are checked in this case and which interface I use for packet-tracer command?

    If incoming IP's are coming in over a site-to-site tunnel do they hit the inside interface's ACL's? Thanks in advance!

    Are you asking about the encapsulating packets with an IP type of GRE or ESP, or the packets that have been decrypted and are ready to route to the local site?

    I'm asking: if I have host A behind an ASA at one side, and host B behind another ASA at a remote site, both sites have an ipsec site to site VPN tunnel between them.. if I were to accurately test ACL's to and from host A to B and vice versa, how would I do this with packet tracer? would I use: packet-tracer input INSIDE in both directions? or use packet-tracer input INSIDE for one way and packet-tracer input OUTSIDE for the other way?

    If I understand your question correctly, you'd use `inside` on both ends. The tunnel endpoint interface is logically on the inside.

    Ok, and that's what I thought, but it does pass physically through the outside interface so I wasn't sure if traffic would bypass the access-lists on the outside interface, or how that worked and the impact it would have on packet-tracer .. tracing? Please confirm to test traffic in both directions using pcket-tracer input INSIDE for both directions is correct! Tysm :)

    There's a virtual "wormhole" at the edge of the tunnel. The tunnel interface is in some zone, but packets entering it get magically packaged up and delivered (inside new GRE or ESP packets with completely different headers) to another endpoint, where they're unwrapped and pop out magically from another tunnel interface. Conceptually, pretend that the two tunnel interfaces are just like a pair of Ethernet ports with a wire between them.

    Ok, so as far as processing and ACL's go, it's functionally like INSIDE to INSIDE traffic?

    As long as you're attaching the ACLs in the right place, yes.

    Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.

  • They originate on the outside interface. This is one of my NAT entries for an international site connected via L2L:

    nat (inside-office,ISPA) source static Corporate Corporate destination static France France no-proxy-arp route-lookup

    ISPA -> translates to outside for most people, 0 security interface

    Corporate -> object-group network containing the local/MPLS subnets

    France -> object-group network containing the remote site subnets

    This applies to the ACLs as well. However you will need to use:

    no sysopt connection permit-vpn

    Otherwise the VPN traffic will bypass the ACLs.

    However you can use a VPN filter instead of placing ACLs on the interface and avoid turning off the sys opt connection permit-vpn option.

    Example may be found here:

    Ty for your help, I haven't had time to digest this yet, but I will mark answered once I have time to read through what you've posted!

    No worries. Personally I use the VPN filter for my networks. Less ACL maintenance as you don't have to mess with any interface ACLs.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used