04-29-2008 07:33 AM - edited 02-21-2020 03:42 PM
Hello
I've setup a site-to-site VPN between an ASA 5550 7.2(3) and external contractor's network. I setup the VPN using the wizard and it worked fine. The wizard created the cryptomap acl seen below
access-list outside_2_cryptomap extended permit ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
where LOCAL_IPS is an object group containing our local subnets to be tunnelled and 10.0.0.0/24 is the remote end network.
I'm trying to restrict the traffic tunnelled to about 6 tcp ports so I changed the acl (using the gui as well as from the cli) to the following:-
access-list outside_2_cryptomap extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
where PERMITTED_TRAFFIC is a TCP service group containing the ports we'd like to tunnel.
As soon as I apply this acl (applied at the other end also) the tunnel goes down and neither end can re-initiate it.
My question is - how do you restrict what traffic (tcp ports) you want to send down the tunnel on the ASA?
Thanks
Andy
Solved! Go to Solution.
04-29-2008 07:36 AM
You have 2 options.
vpn-filter
Or something like this...
no sysopt connection permi-vpn
access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
access-list vpn extended permit ip any any
access-group vpn in interface inside
04-29-2008 07:36 AM
You have 2 options.
vpn-filter
Or something like this...
no sysopt connection permi-vpn
access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
access-list vpn extended permit ip any any
access-group vpn in interface inside
04-29-2008 07:43 AM
thanks for the quick response - i'll have a look at this and post back.
andy
04-29-2008 11:55 AM
hi
am also having same query ; however the link provided by you is for RA VPN
Regards
Ankur
04-29-2008 01:53 PM
It is the same process for L2L.
05-01-2008 12:45 AM
created a group policy with a vpn filter and applied this to my tunnel group - can now control traffic in tunnel - thanks for the help.
andy
05-01-2008 03:18 AM
andy
can u please let me know the commands (of VPN Filter , tunnel-group , group-policy as well as crypto acl )which you gave for the L2L VPN .
05-01-2008 05:00 AM
hello
i actually setup the group policy using the SDM GUI (on an ASA 5550 running 7.2(3)) but the running config shows the following:-
For the VPN filter the cmds are:
access-list CONTRACTORS_VPN_FILTER extended permit tcp B.B.B.B 255.255.255.0 object-group LOCAL_IPS object-group PERMITTED_PORTS
where CONTRACTORS_VPN_FILTER is the name I gave to the filter, B.B.B.B is the contractors internal network, LOCAL_IPS is an object group I created containing the local ips that the contractor can access and PERMITTED_PORTS is a service group contating the permitted tcp ports.
For the Group policy the cmds are:
group-policy CONTRACTORS internal
group-policy CONTRACTORS attributes
vpn-filter value CONTRACTORS_VPN_FILTER
where CONTRACTORS is the name I gave to the policy and CONTRACTORS_VPN_FILTER is the VPN filter created earlier. When I created the policy through SDM all the other attributes were set to âinheritâ so I changed those to match our default policy.
To apply the group policy to my already created tunnel the cmds are:
tunnel-group X.X.X.X general-attributes
default-group-policy CONTRACTORS
Where X.X.X.X is the contractors peer IP address and CONTRACTORS is the policy created earlier.
That's the config but it was a lot easier using SDM.
Cheers
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide