cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1607
Views
5
Helpful
22
Replies

asymmetric access control in site to site vpn

simon.law
Level 1
Level 1

Hi,

I'm trying to set up a site to site VPN between my two ASA 5510 ver 8.3. Both site A and site B can access each other without any problem. Is it possible to configure the site A firewall so that site A can fully access site B but site B can only access a subset of traffic to site A?

I have tried the followings at site A but it wouldn't stop the traffic from site B:

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

Thanks,

Simon

22 Replies 22

andrew.prince
Level 10
Level 10

Your ACL is in the wrong direction, it would be best to write an acl for the "inbound" on the inside interface on site b, to deny what you do not what them to do, and permit everything else.

HTH>

For testing, you could also check the acl defined on the crypto map on both sides as part of the interesting traffic that will flow over the tunnel.

acl for "inbound" works only from site B.

Is there any way at site A to specify the traffic to accept from site B?

Thanks,

Simon

Simon,

Another way to do that will be using VPN Filter ACL. You can use this link as reference:

http://www.cisco.com/application/pdf/paws/99103/pix-asa-vpn-filter.pdf

The Filter will work just locally in the ASA that has this set up. This will allow or drop the traffic that is coming from site B to site A.

**** Note: Please be sure you create the ACL in the correct way (Source as destination and destination as source, see link above).

Hi Walter,

I think this is what I needed, I'll try it out.

Thanks very much for your help.

Simon.

Hi Walter,

vpn-filter is no good for my situation, it's still basically bi-directional. I achieve fully asymmetric control by using "no sysopt connection permit-vpn" together with acl on my outside interface. However, I feel uncomfortable of using private addresses on the outside interface. Do you know if there is any security risk of doing this?

Thanks,

Simon

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn

command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

Hi Andrew,

Suppose I don't trust the remote site, is it possible to configure the "local" firewall to allow all outgoing traffic but deny all incoming traffic by using group policy and per-user access lists?

Thanks,

Simon

Yes

A Group-policy ACL

A Interface ACL

As previosuly described in this thread.

HTH>

Hi Andrew,

Sorry, I'm confused. Were you referring to your email on June 29 of writing an acl for the inbound on the inside interface on the remote site to stop traffic to site a?

Thanks,

Simon

That is a possibility, listen you have various options available to you.  I personaly resitrict traffic as close to the "source" as possible, this heps me troubleshoot.

Since you actually want to restrict traffic once it has arrived at site A, you have 2 options.

1) Filter the "inbound" traffic from site B via an acl on the VPN profile after it's decrypted @ site A

2) Filter the "inboud" trarrfic from site B via an ACL and apply it on the "inside" interface in the "outbound" direction.

HTH>

Hi Andrew,

Is option (1) using vpn-filter?

I did try option (2) but it wouldn't stop any traffic. What I did was as follows in site A

   access-list inside_access_out extended deny ip any any

   access-group inside_access_out out interface inside

Am I missing something?

Thanks,

Simon

Hi Simon,

As previously posted - VPN Filter http://www.cisco.com/application/pdf/paws/99103/pix-asa-vpn-filter.pdf

Can you post your complete config of what you tried, there maybe a typo that is tripping you up?

Hi Andrew,

Please find attached my configurations.

I have two local networks maxbel-lan and ktm-lan. I am trying to

- allow all traffic from maxbel-lan to remote-site

- stop all traffic from remote-site to maxbel-lan

- allow only rdp from ktm-lan to remote-site

- allow only rdp from remote-site to ktm-lan

I tried the followings for testing but it wouldn't stop traffic from remote-site to ktm-lan:

  access-list ktm-lan_access_out extended deny ip any any

  access-group ktm-lan_access_out out interface ktm-lan

Thanks,

Simon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: