Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
1
Replies

IPSec VPN and ACL Issue

srsiddiqui
Level 1
Level 1

‎06-01-2009 10:51 PM - edited ‎03-11-2019 08:38 AM

Hey,

I am using Cisco ASA 5510 as my organizations firewall which we have purchased days ago. I have created a IPSec Remote Access VPN with it. My Branch office is located in another city which i need to connect it through VPN.

I have configured my IPSec VPN on ASA with all policies which i need and at client end installed Cisco VPN Client SW. Now i can connect to my VPN Server (ASA) from my branch office. I am also getting an IP address from the POOL which i have allocated during setup of VPN.

Public IP configure on my ASA(outside) 203.75.180.2

Inside IP 10.10.4.11

My Local network is running on 10.10.x.x 255.255.0.0

VPN Client Pool is 10.10.21.1-10.10.21.15 255.255.255.240

I want to apply ACL on my VPN Traffic which i need to be restricted in a sense that i dont want my VPN users to access any resource on my headoffice except 2 web application and 1 SW application.

Initially, i can ping from head office to branch office and vice versa after VPN is connected with no ACL's configured.

Now my question is that in what way i need to apply ACL between my outside and inside users as i tried to apply ACL but still all my resources are available to 10.10.21.0 users.

access-list 101 deny tcp 10.10.21.0 255.255.255.240 10.10.2.11 255.255.255.255 eq http

access-group 101 in interface outside.

this is the ACL which i have applied on my outside interface but still after that i can access 10.10.10.2.11 from my branch office.

can anyone help me out

Labels:
0 Helpful
1 Reply 1

f00f1ter
Level 1
Level 1

‎06-02-2009 03:54 AM

Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.

Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.

Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.

You should probably also edit your post and remove your public IP address.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card