Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block www to host over VPN tunnel

Hi, I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:

access-list block_port extended deny tcp any host 10.20.10.20 eq 80

access-list block_port extended permit ip any any

access-group block_port out interface inside

These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server. So what am I doing wrong?

Thanks

Joel Gonzalez

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Block www to host over VPN tunnel

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

2 REPLIES
Super Bronze

Re: Block www to host over VPN tunnel

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

New Member

Re: Block www to host over VPN tunnel

Hi Jouni,

I went the route of creating a VPN filter access-list. I used this walk through: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Precisely what I was trying to do. Thanks for pointing me in the correct direction.

Cheers

Joel

488
Views
0
Helpful
2
Replies
CreatePlease login to create content