Hi to all,
I would like to know how I can filter the VPN traffic with an access-list, using the source address and the destination port like filters.
I have tried with "no sysopt connection permit-vpn" but it is for filter the traffic through the VPN tunnel and I want to filter the host that can establish the VPN tunnel.
I have done this in a router with this access-list:
access-list 101 remark VPN
access-list 101 permit ahp host x.x.x.x any
access-list 101 permit esp host x.x.x.x any log
access-list 101 permit esp host x.x.x.x any
access-list 101 permit udp host x.x.x.x any eq isakmp
access-list 101 permit udp host x.x.x.x any eq non500-isakmp
But I have tried the same in the ASA and doesn't work, I think that it is because the ASA doesn't apply the access-list to the VPN traffic.
You can disable it with "no crypto isakmp enable outside" but then even if you apply an acl on the outside which allows all IP, ESP, AH it still will not allow an IPSEC connection.
So at the moment i can't see any way to achieve this without using an acl on your upstream router.
I'll do some reading just in case i've missed anything.