Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPSec VPN and ACL Issue

Hey,

I am using Cisco ASA 5510 as my organizations firewall which we have purchased days ago. I have created a IPSec Remote Access VPN with it. My Branch office is located in another city which i need to connect it through VPN.

I have configured my IPSec VPN on ASA with all policies which i need and at client end installed Cisco VPN Client SW. Now i can connect to my VPN Server (ASA) from my branch office. I am also getting an IP address from the POOL which i have allocated during setup of VPN.

Public IP configure on my ASA(outside) 203.75.180.2

Inside IP 10.10.4.11

My Local network is running on 10.10.x.x 255.255.0.0

VPN Client Pool is 10.10.21.1-10.10.21.15 255.255.255.240

I want to apply ACL on my VPN Traffic which i need to be restricted in a sense that i dont want my VPN users to access any resource on my headoffice except 2 web application and 1 SW application.

Initially, i can ping from head office to branch office and vice versa after VPN is connected with no ACL's configured.

Now my question is that in what way i need to apply ACL between my outside and inside users as i tried to apply ACL but still all my resources are available to 10.10.21.0 users.

access-list 101 deny tcp 10.10.21.0 255.255.255.240 10.10.2.11 255.255.255.255 eq http

access-group 101 in interface outside.

this is the ACL which i have applied on my outside interface but still after that i can access 10.10.10.2.11 from my branch office.

can anyone help me out

1 REPLY
New Member

Re: IPSec VPN and ACL Issue

Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.

Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.

Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.

You should probably also edit your post and remove your public IP address.

HTH

201
Views
0
Helpful
1
Replies
CreatePlease to create content