VPN filtering

Answered Question
Apr 14th, 2010

Hello all, very quick one for you:

I want to create a L2L tunnel that allows all traffic in one direction for management purposes, and just port 80 traffic back in the other direction.

I'm guessing this isn't possible with just the match access-lists (they need to match in the SA right?), so is creating a VPN filter the right way to go?

Any advice welcome.

Thanks.

Correct Answer by Jennifer Halim about 6 years 10 months ago

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

Correct Answer by Kelvin Willacey about 6 years 10 months ago

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Correct Answer by Federico Coto F... about 6 years 10 months ago

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Wed, 04/14/2010 - 09:05

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

jacobs_son Thu, 04/15/2010 - 02:58

Hi, thanks for the replies.

The devices at both ends are ASA's. To be honest I wasn't sure if I could just do something like "permit ip 10.0.0.0/24 10.1.0.0/24" at one end in the match statement and "permit tcp 10.1.0.0/24 10.0.0.0/24 eq 80" at the other end. Do the match staements actually need to be identical for the tunnel to establish? If  I did something like this and wanted to RDP from the management network, would the traffic get back because the TCP session state will already be present on the remote device, or will it not because only port 80 is allowed back the other way?

I'll go with the VPN filtering, but if anyone could clarify the points above for me that would be much appreciated.

James

Correct Answer
Jennifer Halim Thu, 04/15/2010 - 03:09

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

Actions

This Discussion