Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 7.2 ipsec-filter all data flow

Hi,

i want to limit incoming traffic from a remote tunnel, i do this via a policy group-mapped to an acl and to a tunnel-group.

For example:

local: 192.168.1.0 255.255.255.0

remote: 192.168.2.0 255.255.255.0

access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0

access-group inside in interface inside

access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

group-policy tunnelpol att vpn-filter tunnel-data

tunnel-group tunnelgrp gen default-group-policy tunnelpol

sysopt connection permit-vpn

No data Flows, i get the error: Deny inbound tcp 80 src inside 192.168.1.1 to 192.168.2.1 on interface inside

if i add this: access-list tunnel-data permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 all traffic flows in both directions, but i only want to allow from local to remote ALL and from remote to LOCAL only 80 tcp.

stateful everything should flow (ACKs from Remote), but SYN only from SOURCE.

125
Views
0
Helpful
0
Replies