How to permit specific port ( permit only port that we want ) with VPN site to site on cisco asa
Currently, I have configured VPN site to site between two ASA ( Branch A and Branch B ). Normally, VPN site to site always permit full range of ip address in interesting traffic ( Access-control-List ). But for my scenario I want to allow only some protocols (like allow only tcp or udp port) across VPN Tunnel. So, my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?
Please find some information as attached file and as below:
Branch A ip address: 192.168.1.0/24
Branch B ip address: 172.16.1.0/24
+++ Interesting Traffic from Branch A to Branch B: access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ( Note: Use full range ip address from Branch A to Branch B )
+++ Interesting Traffic from Branch B to Branch A: access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp ( Note: permit only icmp from Branch B to Branch A )
+++ Result after testing
I can not ping from Branch A to Branch B, but I can ping from Branch B to Branch A. Could you advise me what is the problem?
No that would allow only icmp traffic, but if you want to allow everything except "filter" some vpn traffic between end hosts based on ports/portocols you should apply it in a way similar to this:
These access lists are needed to trigger the tunnel based on any traffic:
access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
This access list is needed to filter the vpn traffic based on port/protocol, in this example port 80:
access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0 access-list vpn-filtering extended permit ip any any
Add/Modify you group policy:
group-policy EXAMPLE-GP internal group-policy EXAMPLE-GP attributes vpn-filter value vpn-filtering
Add/modify your tunnel Group:
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx general-attributes default-group-policy EXAMPLE-GP
PS: Please note that in the above access list to filter vpn traffic, the source address should be always the destination address (Branch B assuming we are applying these commands on Branch A ASA) and the port should be always the port used on the destination end.
For example this ace would block www traffic from Branch A to Branch B:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...