Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
10
Helpful
4
Replies

VPN filtering

Go to solution
jacobs_son
Level 1
Level 1

‎04-14-2010 08:47 AM - edited ‎03-11-2019 10:32 AM

Hello all, very quick one for you:

I want to create a L2L tunnel that allows all traffic in one direction for management purposes, and just port 80 traffic back in the other direction.

I'm guessing this isn't possible with just the match access-lists (they need to match in the SA right?), so is creating a VPN filter the right way to go?

Any advice welcome.

Thanks.

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-14-2010 09:05 AM

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

View solution in original post

Go to solution
Kelvin Willacey
Level 4
Level 4

‎04-14-2010 08:38 PM

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jacobs_son

‎04-15-2010 03:09 AM

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-14-2010 09:05 AM

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

Go to solution
Kelvin Willacey
Level 4
Level 4

‎04-14-2010 08:38 PM

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

0 Helpful

Go to solution
jacobs_son
Level 1
Level 1
In response to Kelvin Willacey

‎04-15-2010 02:58 AM

Hi, thanks for the replies.

The devices at both ends are ASA's. To be honest I wasn't sure if I could just do something like "permit ip 10.0.0.0/24 10.1.0.0/24" at one end in the match statement and "permit tcp 10.1.0.0/24 10.0.0.0/24 eq 80" at the other end. Do the match staements actually need to be identical for the tunnel to establish? If  I did something like this and wanted to RDP from the management network, would the traffic get back because the TCP session state will already be present on the remote device, or will it not because only port 80 is allowed back the other way?

I'll go with the VPN filtering, but if anyone could clarify the points above for me that would be much appreciated.

James

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jacobs_son

‎04-15-2010 03:09 AM

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card