ASA5510 7.2 ipsec-filter all data flow

Unanswered Question

Hi,


i want to limit incoming traffic from a remote tunnel, i do this via a policy group-mapped to an acl and to a tunnel-group.


For example:


local: 192.168.1.0 255.255.255.0

remote: 192.168.2.0 255.255.255.0

access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0

access-group inside in interface inside


access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

group-policy tunnelpol att vpn-filter tunnel-data


tunnel-group tunnelgrp gen default-group-policy tunnelpol


sysopt connection permit-vpn


No data Flows, i get the error: Deny inbound tcp 80 src inside 192.168.1.1 to 192.168.2.1 on interface inside


if i add this: access-list tunnel-data permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 all traffic flows in both directions, but i only want to allow from local to remote ALL and from remote to LOCAL only 80 tcp.


stateful everything should flow (ACKs from Remote), but SYN only from SOURCE.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion