Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN filtering

Hello all, very quick one for you:

I want to create a L2L tunnel that allows all traffic in one direction for management purposes, and just port 80 traffic back in the other direction.

I'm guessing this isn't possible with just the match access-lists (they need to match in the SA right?), so is creating a VPN filter the right way to go?

Any advice welcome.

Thanks.

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: VPN filtering

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

Re: VPN filtering

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Cisco Employee

Re: VPN filtering

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

4 REPLIES

Re: VPN filtering

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

Re: VPN filtering

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Community Member

Re: VPN filtering

Hi, thanks for the replies.

The devices at both ends are ASA's. To be honest I wasn't sure if I could just do something like "permit ip 10.0.0.0/24 10.1.0.0/24" at one end in the match statement and "permit tcp 10.1.0.0/24 10.0.0.0/24 eq 80" at the other end. Do the match staements actually need to be identical for the tunnel to establish? If  I did something like this and wanted to RDP from the management network, would the traffic get back because the TCP session state will already be present on the remote device, or will it not because only port 80 is allowed back the other way?

I'll go with the VPN filtering, but if anyone could clarify the points above for me that would be much appreciated.

James

Cisco Employee

Re: VPN filtering

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0  255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

230
Views
0
Helpful
4
Replies
CreatePlease to create content