04-29-2008 07:33 AM - edited 02-21-2020 03:42 PM
Hello
I've setup a site-to-site VPN between an ASA 5550 7.2(3) and external contractor's network. I setup the VPN using the wizard and it worked fine. The wizard created the cryptomap acl seen below
access-list outside_2_cryptomap extended permit ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
where LOCAL_IPS is an object group containing our local subnets to be tunnelled and 10.0.0.0/24 is the remote end network.
I'm trying to restrict the traffic tunnelled to about 6 tcp ports so I changed the acl (using the gui as well as from the cli) to the following:-
access-list outside_2_cryptomap extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
where PERMITTED_TRAFFIC is a TCP service group containing the ports we'd like to tunnel.
As soon as I apply this acl (applied at the other end also) the tunnel goes down and neither end can re-initiate it.
My question is - how do you restrict what traffic (tcp ports) you want to send down the tunnel on the ASA?
Thanks
Andy
Solved! Go to Solution.
04-29-2008 07:36 AM
You have 2 options.
vpn-filter
Or something like this...
no sysopt connection permi-vpn
access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
access-list vpn extended permit ip any any
access-group vpn in interface inside
04-29-2008 07:36 AM
You have 2 options.
vpn-filter
Or something like this...
no sysopt connection permi-vpn
access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC
access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0
access-list vpn extended permit ip any any
access-group vpn in interface inside
04-29-2008 07:43 AM
thanks for the quick response - i'll have a look at this and post back.
andy
04-29-2008 11:55 AM
hi
am also having same query ; however the link provided by you is for RA VPN
Regards
Ankur
04-29-2008 01:53 PM
It is the same process for L2L.
05-01-2008 12:45 AM
created a group policy with a vpn filter and applied this to my tunnel group - can now control traffic in tunnel - thanks for the help.
andy
05-01-2008 03:18 AM
andy
can u please let me know the commands (of VPN Filter , tunnel-group , group-policy as well as crypto acl )which you gave for the L2L VPN .
05-01-2008 05:00 AM
hello
i actually setup the group policy using the SDM GUI (on an ASA 5550 running 7.2(3)) but the running config shows the following:-
For the VPN filter the cmds are:
access-list CONTRACTORS_VPN_FILTER extended permit tcp B.B.B.B 255.255.255.0 object-group LOCAL_IPS object-group PERMITTED_PORTS
where CONTRACTORS_VPN_FILTER is the name I gave to the filter, B.B.B.B is the contractors internal network, LOCAL_IPS is an object group I created containing the local ips that the contractor can access and PERMITTED_PORTS is a service group contating the permitted tcp ports.
For the Group policy the cmds are:
group-policy CONTRACTORS internal
group-policy CONTRACTORS attributes
vpn-filter value CONTRACTORS_VPN_FILTER
where CONTRACTORS is the name I gave to the policy and CONTRACTORS_VPN_FILTER is the VPN filter created earlier. When I created the policy through SDM all the other attributes were set to âinheritâ so I changed those to match our default policy.
To apply the group policy to my already created tunnel the cmds are:
tunnel-group X.X.X.X general-attributes
default-group-policy CONTRACTORS
Where X.X.X.X is the contractors peer IP address and CONTRACTORS is the policy created earlier.
That's the config but it was a lot easier using SDM.
Cheers
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: