10-27-2008 03:59 AM - edited 03-11-2019 07:03 AM
Hi,
I have a site-to-site VPN setup with a client on pur PIX. The tunnel is currently using the default group policy, so access is only permitted to the customer servers. I would like to grant the customer site http access to one of our internal servers. Below is the config I have used. Once I'd applied the config below, I could no longer connect to any of the the customer servers.
access-list acl_client_access permit tcp host x.x.x.x host x.x.x.x eq http
group-policy gp_client internal
group-policy gp_client attributes
vpn-filter value acl_client_access
vpn-tunnel-protocol IPSec
tunnel-group x.x.x.x general-attributes
default-group-policy gp_client
Your help is appreciated.
Thanks
10-27-2008 06:05 AM
The direction of vpn-filter ACLs are a little tricky, have a look at this:
It would be nice if you can post the exact ACL outlinging the VPN pool and server IPs ( you maybe substiture them with any dummy address for security reasons...but x.x.x.x doesnt help much)
Regards
Farrukh
10-27-2008 08:25 AM
Hi,
the access-list I mentioned above is configured to permit the client host to the ftp server and nothing else. All traffic is NAT 0'd.
I changed the access-list to also permit the internal subnet (my network) to the client subnet. Yet I still can't connect to the client machines anymore.
Internal Subnet: 192.168.1.0/24
Client Subnet: 192.168.2.0/24
access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1
10-27-2008 09:03 AM
I also tried the following acl:
access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1 eq 80
access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
10-27-2008 12:46 PM
try to run a 'packet-tracer' command on this desired TCP flow and see what do you get.
Regards
Farrukh
10-29-2008 03:55 AM
Hi,
The packet tracer shows the traffic being dropped by an access-list, but it doesn't say which one. The message I get is '(acl-drop) Flow is denied by configured rule'
Thanks
10-29-2008 04:02 AM
It does show the ACL name, just make sure you use the 'detailed' keyword after the command.
Regards
Farruk
10-29-2008 04:20 AM
Hi,
If I add a permit ip any any to the accesslist being used by the vpn filter, this gives me access again to the customer hosts.
My understanding of the VPN filter is that I should be able to permit access from my subnet to the clients and also give the required access to the customer clients to get http access to my subnet.
I don't want to permit all access from the client subnet to mine, unless it was initiated from my subnet.
10-29-2008 04:28 AM
You would need o tell more details about the IP addressing to comment about the VPN filter, as a second step you can enable ALL IP traffic between the subnets (instead of specific ports). Then see if it works.
Regards
Farrukh
10-29-2008 04:45 AM
Hi, the details are:
Internal Subnet: 192.168.1.0/24
Client Subnet: 192.168.2.0/24
We're not natting to anything currently.
The VPN filter acl is as follows:
access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_client permit tcp 192.168.2.1 192.168.1.2 eq http
However, this results in no traffic being allowed from the internal subnet to the client subnet.
Thanks
10-29-2008 04:52 AM
It seems you did not read the document I posted earlier, here is the quote:
"An ACL that is used for a vpn-filter must not also be used for an interface access-group. When a vpn-filter is applied to a group-policy/user name mode that governs Remote Access VPN Client connections, the ACL must be configured with the *client* assigned IP addresses in the *src_ip position* of the ACL and the local network in the dest_ip position of the ACL"
So your ACL should be the other way around
access-list acl_client permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Regards
Farrukh
10-29-2008 05:15 AM
Hi,
I did have a look at the document you suggested. The only problem with having the acl that way round is that, I would then be permitting full access from the customer site to mine. I only want to allow http access that is inititaed from the client site. The rest of the traffic that is permitted should be initiated from my subnet.
Thanks
05-06-2009 05:17 AM
Hi alraycisco
As far as i know, this is not possible to do, since the VPN filters are "applied" bidirectionally.
I guess sending a feature-request to cisco, requesting them to change this, and make the access-list to behave as real acl's would be the thing to do.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide