Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to permit specific port ( permit only port that we want ) with VPN site to site on cisco asa

 

Dear Support,

 

Currently, I have configured VPN site to site between two ASA ( Branch A and Branch B ). Normally, VPN site to site always permit full range of ip address in interesting traffic ( Access-control-List ). But for my scenario I want to allow only some protocols (like allow only tcp or udp port) across VPN Tunnel. So, my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?

Please find some information as attached file and as below:

Branch A ip address: 192.168.1.0/24

Branch B ip address: 172.16.1.0/24

+++ Interesting Traffic from Branch A to Branch B: access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ( Note: Use full range ip address from Branch A to Branch B )

+++ Interesting Traffic from Branch B to Branch A: access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp ( Note: permit only icmp from Branch B to Branch A )

+++ Result after testing

I can not ping from Branch A to Branch B, but I can ping from Branch B to Branch A. Could you advise me what is the problem?

your help is very appreciate!!!!

Regards,

 

 

 

5 REPLIES

this is mistakeaccess-list

this is mistake

access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp

 

tcp equal icmp ?

should be 

access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 

 

 

my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?

you need additional access-list

 

share your config

New Member

Hi Support,The main point is

Hi Support,

The main point is : from BrA to BrB they allow full range of ip address or all protocols, But from BrB to BrA they allow only one icmp protocol ( not all protocol ).

The question is : how could I allow VPN site to site traffic on this scenario?

thank you

 

 

Hi Sothengse, The vpn tunnel

Hi Sothengse,

 

The vpn tunnel is being triggered based on the crypto access lists, please try to apply the access lists is this way if you want to allow only icmp traffic between both ends:

 

On Branch B:

access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

 

On Branch A:

access-list BrA-BrB extended permit icmp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

 

Regards,

Aref

New Member

Hi support,Above access-list

Hi support,

Above access-list is permit icmp traffic between both ends, but if I use like below

On Branch A use:

access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

And

On Branch B use:

access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Does this VPN work or not?

if don't work, what should I do?

your help is very appreciate

thanks

No that would allow only icmp

No that would allow only icmp traffic, but if you want to allow everything except "filter" some vpn traffic between end hosts based on ports/portocols you should apply it in a way similar to this:

 

These access lists are needed to trigger the tunnel based on any traffic:

access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0


This access list is needed to filter the vpn traffic based on port/protocol, in this example port 80:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0
access-list vpn-filtering extended permit ip any any

 

Add/Modify you group policy:

group-policy EXAMPLE-GP internal
group-policy EXAMPLE-GP attributes
 vpn-filter value vpn-filtering


Add/modify your tunnel Group:

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
 default-group-policy EXAMPLE-GP

 

PS: Please note that in the above access list to filter vpn traffic, the source address should be always the destination address (Branch B assuming we are applying these commands on Branch A ASA) and the port should be always the port used on the destination end.

 

For example this ace would block www traffic from Branch A to Branch B:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0

 

And this one would block www traffic from Branch B to Branch A:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www

 

Regards,

Aref

796
Views
0
Helpful
5
Replies