Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
3
Replies

ASA5540 ACL not working for VPN access.

Go to solution
jkeeffe
Level 2
Level 2

‎04-23-2008 07:50 AM - edited ‎02-21-2020 03:41 PM

I'm running 8.03 code and have a simple L2L VPN configured between two sites. This is actually a test config in my lab, but I'm having trouble restricting traffic using an inside ACL.

I used the VPN Wizard to do the initial config and then added an inside (out)ACL to restrict traffic once the tunnel comes up.

The crypto map is as follows:

access-list outside_1_cryptomap extended permit ip 164.72.1.128 255.255.255.240 host SunMed_pc

Then I have an ACL to limit traffic to pinging GHC_laptop, telnet to GHC_switch and deny everything else:

access-list inside_access_out extended permit icmp host SunMed_pc host GHC_Laptop

access-list inside_access_out extended permit tcp host SunMed_pc host GHC_switch eq telnet

access-list inside_access_out extended deny ip any any

However SunMed_pc can also ping to GHC_switch and can FTP to GHC_laptop even though the 3rd entry to deny all hit counter increases when I do that.

I've attached a Word document that has the entire config along with a screen shot showing the ACL and the hits.

Do I have the ACL set up incorrectly or is the ACL in fact not working as expected?

Labels:
Preview file
89 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to jkeeffe

‎04-23-2008 08:11 AM

You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.

If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.

There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559

View solution in original post

0 Helpful
3 Replies 3

Go to solution
acomiskey
Level 10
Level 10

‎04-23-2008 07:56 AM

As long as you have "sysopt connection permit-vpn", all ipsec traffic will bypass interface acl's. If you wish to filter ipsec traffic with interface acl's, then you have to enter...

no sysopt connection permit-vpn

In ASDM, this option is located at

Config -> site to site vpn -> advanced -> system options -> "enable inbound ipsec sessions to bypass interface access lists"

0 Helpful

Go to solution
jkeeffe
Level 2
Level 2
In response to acomiskey

‎04-23-2008 08:05 AM

If I keep sysopt connection permit-vpn, is there no way to restrict traffic? I was told to keep all IP as interesting traffic as a best practice when building L2L VPNs, but I must be able to restrict traffic.

What would be the best config method then if I simply wanted SunMed_pc to telnet to GHC_switch?

Also this ASA-5540 will strictly be for L2L VPN connections and will not be used as a firewall in anyway, and I will eventually have dozens of VPNs configured on it. With that in mind is it best to use 'sysopt connection permit-vpn'?

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jkeeffe

‎04-23-2008 08:11 AM

You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.

If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.

There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents