cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
0
Helpful
12
Replies

VPN Group-Policy

alraycisco
Level 1
Level 1

Hi,

I have a site-to-site VPN setup with a client on pur PIX. The tunnel is currently using the default group policy, so access is only permitted to the customer servers. I would like to grant the customer site http access to one of our internal servers. Below is the config I have used. Once I'd applied the config below, I could no longer connect to any of the the customer servers.

access-list acl_client_access permit tcp host x.x.x.x host x.x.x.x eq http

group-policy gp_client internal

group-policy gp_client attributes

vpn-filter value acl_client_access

vpn-tunnel-protocol IPSec

tunnel-group x.x.x.x general-attributes

default-group-policy gp_client

Your help is appreciated.

Thanks

12 Replies 12

Farrukh Haroon
VIP Alumni
VIP Alumni

The direction of vpn-filter ACLs are a little tricky, have a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo

It would be nice if you can post the exact ACL outlinging the VPN pool and server IPs ( you maybe substiture them with any dummy address for security reasons...but x.x.x.x doesnt help much)

Regards

Farrukh

alraycisco
Level 1
Level 1

Hi,

the access-list I mentioned above is configured to permit the client host to the ftp server and nothing else. All traffic is NAT 0'd.

I changed the access-list to also permit the internal subnet (my network) to the client subnet. Yet I still can't connect to the client machines anymore.

Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24

access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1

I also tried the following acl:

access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1 eq 80

access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

try to run a 'packet-tracer' command on this desired TCP flow and see what do you get.

Regards

Farrukh

Hi,

The packet tracer shows the traffic being dropped by an access-list, but it doesn't say which one. The message I get is '(acl-drop) Flow is denied by configured rule'

Thanks

It does show the ACL name, just make sure you use the 'detailed' keyword after the command.

Regards

Farruk

Hi,

If I add a permit ip any any to the accesslist being used by the vpn filter, this gives me access again to the customer hosts.

My understanding of the VPN filter is that I should be able to permit access from my subnet to the clients and also give the required access to the customer clients to get http access to my subnet.

I don't want to permit all access from the client subnet to mine, unless it was initiated from my subnet.

You would need o tell more details about the IP addressing to comment about the VPN filter, as a second step you can enable ALL IP traffic between the subnets (instead of specific ports). Then see if it works.

Regards

Farrukh

Hi, the details are:

Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24

We're not natting to anything currently.

The VPN filter acl is as follows:

access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_client permit tcp 192.168.2.1 192.168.1.2 eq http

However, this results in no traffic being allowed from the internal subnet to the client subnet.

Thanks

It seems you did not read the document I posted earlier, here is the quote:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo

"An ACL that is used for a vpn-filter must not also be used for an interface access-group. When a vpn-filter is applied to a group-policy/user name mode that governs Remote Access VPN Client connections, the ACL must be configured with the *client* assigned IP addresses in the *src_ip position* of the ACL and the local network in the dest_ip position of the ACL"

So your ACL should be the other way around

access-list acl_client permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Regards

Farrukh

Hi,

I did have a look at the document you suggested. The only problem with having the acl that way round is that, I would then be permitting full access from the customer site to mine. I only want to allow http access that is inititaed from the client site. The rest of the traffic that is permitted should be initiated from my subnet.

Thanks

Hi alraycisco

As far as i know, this is not possible to do, since the VPN filters are "applied" bidirectionally.

I guess sending a feature-request to cisco, requesting them to change this, and make the access-list to behave as real acl's would be the thing to do.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: