I've setup a site-to-site VPN between an ASA 5550 7.2(3) and external contractor's network. I setup the VPN using the wizard and it worked fine. The wizard created the cryptomap acl seen below
access-list outside_2_cryptomap extended permit ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
where LOCAL_IPS is an object group containing our local subnets to be tunnelled and 10.0.0.0/24 is the remote end network.
I'm trying to restrict the traffic tunnelled to about 6 tcp ports so I changed the acl (using the gui as well as from the cli) to the following:-
access-list outside_2_cryptomap extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
where PERMITTED_TRAFFIC is a TCP service group containing the ports we'd like to tunnel.
As soon as I apply this acl (applied at the other end also) the tunnel goes down and neither end can re-initiate it.
My question is - how do you restrict what traffic (tcp ports) you want to send down the tunnel on the ASA?
You have 2 options.
Or something like this...
no sysopt connection permi-vpn
access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
access-list vpn extended permit ip any any
access-group vpn in interface inside