I have a L2L VPN tunnel created with a vendor. I have a set of users whom need to access a web server, just TCP 80 I am advised.
Naturally, I am going to filter what this vendor can access on my network. The vendor doesn't get to access anything the vendor wants. I'm going to use the "vpn-filter" command to deploy an ACL on the group-policy. The group-policy is locked to a tunnel group.
I have found that in order for my users to just get a reply from the web server, I have to put a line in my vpn-filter ACL like the one below.
access-list VENDER-ACL line 8 extended permit tcp object-group VENDER-SERVERS eq www 192.168.99.0 255.255.255.0 gt 1023
If I put this line in "inactive" mode, then no replies to the SYNs even return to my clients. If I activate this line, then my users can access this web server, a complete TCP handshake occurs and http passes back and forth.
I do not like what this ACL really says. This ACL says that the vendors servers can access ANY TCP port over 1023 on my clients if they know to source the connection attempt from TCP 80. If NMAP can spoof a source port, then anything else can.
Cisco's DOCs say that the vpn-filter is stateful. Having to put a line like line 8 above doesn't seem very stateful at all.
I do not like this. Is there any way around this, is there a real stateful solution?