Howto filter traffic between two ezvpn clients

Unanswered Question
Apr 22nd, 2010

Hi Guys

Could anyone help me with the following issue?

I want to filter traffic between two ezvpn (ios) clients. The hub is an ASA running 8.04 code.

client1 is allowed to access the local networks of client2, but client2 is not allowed to access client1 local subnet. both clients are allowed to access the inside network of the asa

Both client networks are known to the ASA by means of RRI.

I read that in vpn-filter acl the source part is used for the remote network and the destination part for the local network.

I was thinking of using the vpn-filter feature and link it to the user1 and user2 account. Something like this:

!
username user1 password pwd1
username user1 attributes
vpn-filer acl1
!
username user2 password pwd1
username user2 attributes
vpn-filer acl2
!
access-list acl1 ip permit any any
!
access-list acl2 ip permit subnet1 mask1 inside_net inside_mask

Unfortuantly this is not working....why...? any ideas how to fix this?

Regards
Hielke

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 04/22/2010 - 11:19

Hi,

Are the EzVPN clients in NEW or Client-mode?

As for now, both clients can access each other's LAN correct?

Are you getting hitcounts on the acl1 and acl2 when sending traffic?

Federico.

HHagendoorn Thu, 04/22/2010 - 23:57

Hi Federico,

Thx for your reply, both clients are in NEM mode.

Both clients can reach the inside network. But client1 can't reach the inside network of client2 (which it should)

When I'm sourcing a ping from client1 inside netwerk to client2 inside network , the acl1 counter is increasing, acl2 counter not.

Hope this helps...?

Regards

Hielke

Federico Coto F... Fri, 04/23/2010 - 07:17

If the IOS clients are in NEM mode that means they keep their IP addresses.
So, client1 LAN should reach client2 LAN through the ASA correct?

In order to allow client1 to reach client2 through the ASA, several things need to happen:
1. The ASA should have the same security permit intra-interface command
2. The client1 LAN should be encrypted in an ACL that goes to client2 tunnel (and vice versa).
3. The NAT and route rules should be properly configured.

Is it possible for you to attach the configs?

Federico.

HHagendoorn Mon, 04/26/2010 - 23:43

Hi Federico,

I agree both clients should be able to reach each other inside network. In fact this is indeed the case if I don't use any filter acl at all.

So

1. Yes permit intra-interface is in the cfg

2. ??? this is ezvpn there is no crypto acl

3. I checked on NAT, client and ASA NAT (exempt) is working fine. Proof is the fact that things are working without any acl.

So I think it boils down to the definition and posibilties of defining a filter acl. The probleem is how do I define local and remote with regards to intra client traffic. To make things worse I read the acl is bidirectional......

Actions

This Discussion

Related Content