Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
7
Replies

restricting traffic in a site-to-site vpn tunnel

Go to solution
andrewswanson
Level 7
Level 7

‎04-29-2008 07:33 AM - edited ‎02-21-2020 03:42 PM

Hello

I've setup a site-to-site VPN between an ASA 5550 7.2(3) and external contractor's network. I setup the VPN using the wizard and it worked fine. The wizard created the cryptomap acl seen below

access-list outside_2_cryptomap extended permit ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0

where LOCAL_IPS is an object group containing our local subnets to be tunnelled and 10.0.0.0/24 is the remote end network.

I'm trying to restrict the traffic tunnelled to about 6 tcp ports so I changed the acl (using the gui as well as from the cli) to the following:-

access-list outside_2_cryptomap extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC

where PERMITTED_TRAFFIC is a TCP service group containing the ports we'd like to tunnel.

As soon as I apply this acl (applied at the other end also) the tunnel goes down and neither end can re-initiate it.

My question is - how do you restrict what traffic (tcp ports) you want to send down the tunnel on the ASA?

Thanks

Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎04-29-2008 07:36 AM

You have 2 options.

vpn-filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or something like this...

no sysopt connection permi-vpn

access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC

access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0

access-list vpn extended permit ip any any

access-group vpn in interface inside

View solution in original post

0 Helpful
7 Replies 7

Go to solution
acomiskey
Level 10
Level 10

‎04-29-2008 07:36 AM

You have 2 options.

vpn-filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or something like this...

no sysopt connection permi-vpn

access-list vpn extended permit tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 object-group PERMITTED_TRAFFIC

access-list vpn extended deny ip object-group LOCAL_IPS 10.0.0.0 255.255.255.0

access-list vpn extended permit ip any any

access-group vpn in interface inside

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to acomiskey

‎04-29-2008 07:43 AM

thanks for the quick response - i'll have a look at this and post back.

andy

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to andrewswanson

‎04-29-2008 11:55 AM

hi

am also having same query ; however the link provided by you is for RA VPN

Regards

Ankur

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to ankurs2008

‎04-29-2008 01:53 PM

It is the same process for L2L.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to acomiskey

‎05-01-2008 12:45 AM

created a group policy with a vpn filter and applied this to my tunnel group - can now control traffic in tunnel - thanks for the help.

andy

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to andrewswanson

‎05-01-2008 03:18 AM

andy

can u please let me know the commands (of VPN Filter , tunnel-group , group-policy as well as crypto acl )which you gave for the L2L VPN .

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to ankurs2008

‎05-01-2008 05:00 AM

hello

i actually setup the group policy using the SDM GUI (on an ASA 5550 running 7.2(3)) but the running config shows the following:-

For the VPN filter the cmds are:

access-list CONTRACTORS_VPN_FILTER extended permit tcp B.B.B.B 255.255.255.0 object-group LOCAL_IPS object-group PERMITTED_PORTS

where CONTRACTORS_VPN_FILTER is the name I gave to the filter, B.B.B.B is the contractors internal network, LOCAL_IPS is an object group I created containing the local ips that the contractor can access and PERMITTED_PORTS is a service group contating the permitted tcp ports.

For the Group policy the cmds are:

group-policy CONTRACTORS internal

group-policy CONTRACTORS attributes

vpn-filter value CONTRACTORS_VPN_FILTER

where CONTRACTORS is the name I gave to the policy and CONTRACTORS_VPN_FILTER is the VPN filter created earlier. When I created the policy through SDM all the other attributes were set to “inherit” so I changed those to match our default policy.

To apply the group policy to my already created tunnel the cmds are:

tunnel-group X.X.X.X general-attributes

default-group-policy CONTRACTORS

Where X.X.X.X is the contractors peer IP address and CONTRACTORS is the policy created earlier.

That's the config but it was a lot easier using SDM.

Cheers

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents