09-13-2007 05:52 AM - edited 03-11-2019 04:10 AM
Hi all,
I have an ASA with several LAN-to-LAN VPNs and I have enabled "sysopt connection permit-vpn" but I would like to filter the incoming traffic in one VPN to deny some ports and allow the rest.
The problems is that how I have other VPNs and I have enabled "sysopt connection permit-vpn" if I disable it I will lose conectivity for the rest of VPNs.
Is there any way to filter only the traffic that arrive through a specific LAN-to-LAN VPN?
Regards, Fernando.
Solved! Go to Solution.
09-13-2007 05:55 AM
Yes, use the vpn-filter command.
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607
Please rate helpful posts.
09-13-2007 05:55 AM
Yes, use the vpn-filter command.
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607
Please rate helpful posts.
09-13-2007 06:01 AM
Hi acomiskey,
Thanks for your quick response. But I think that "vpn-filter" command is only available for remote VPN users and not for LAN-to-LAN.
Could you confirm it?
Regards, Fernando.
09-13-2007 06:14 AM
No, you can use it for L2L tunnels as well.
09-13-2007 06:26 AM
Hi acomiskey,
I will try and will let you know.
What about my other post?
Regards, Fernando.
09-13-2007 06:09 AM
Hi acomiskey,
On the other hand, Could I filter it on the VPN acl?
In example:
access-list vpn_acl extended deny tcp 192.168.0.0 255.255.255.0 eq 80 192.168.1.0 255.255.255.0
access-list vpn_acl extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map vpn_map 10 match address vpn_acl
Could I use a deny entry in the match acl?
Regards, Fernando.
09-18-2007 01:52 AM
Hi acomiskey,
I have tried it and I can confirm that it works :-).
Thank you very much.
Regards, Fernando.
09-21-2007 05:23 AM
I didn't appreciate that vpn-filter could be used for L2L VPNs. How do you attach the vpn-filter to the L2L tunnel, do you assign it to a group policy and then attach this to the L2L tunnel-group?
e.g.
group-policy Filtered_L2L_GP attributes
vpn-filter value 10
vpn-tunnel-protocol IPSec
!
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy Filtered_L2L_GP
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key *
Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?
If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?
09-21-2007 10:38 AM
"do you assign it to a group policy and then attach this to the L2L tunnel-group?"
-Yes.
"Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?"
-It depends wheter or not you have an acl applied into your inside interface. If not, then you need it applied into your outside interface, not outbound from the asa.
"If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?"
-Yes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: