07-09-2013 04:16 AM - edited 03-11-2019 07:09 PM
Hello..
I am facing an issue on VPN tunnel. I am running several L2L vpn tunnel in my ASA and configured "sysopt connection permit-vpn". Currently i am setting up a new l2l tunnel and i want to restrict some ports from remote end to my end servers but i am unable to do that due to i believe "sysopt connection permit-vpn". I cannot remove this config as it will impact others tunnel.
Pls help me how could i allow only specfic ports into l2l tunnel from outside.
Solved! Go to Solution.
07-09-2013 05:14 AM
Hi,
I guess you mean the VPN Filter way then. I personally prefer to use the other way though.
access-list L2LVPN-FILTER remark Allow only certain ports for remote site
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 80
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 443
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 1433
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 80
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 443
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 1433
group-policy L2LVPN-POLICY internal
group-policy L2LVPN-POLICY attributes
vpn-filter value L2LVPN-FILTER
tunnel-group 212.39.6.141 type ipsec-l2l
tunnel-group 212.39.6.141 general-attributes
default-group-policy L2LVPN-POLICY
For example the above
- Jouni
07-09-2013 04:29 AM
You can use the vpn-filter for that:
1) configure an ACL where you specify the allowed traffic from your remote-side.
2) attach this ACL to a group-policy.
3) attach the group-policy to your tunnel-group.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
07-09-2013 04:35 AM
Also,
Remember that if you are going to configure a Filter ACL for the L2L VPN then the ACL format will be different.
You will always use the remote network as the source of the ACL statement. You will simply use the ports to tell what traffic is allowed.
For example allowing RDP / TCP/3389 to remote site
Local network: 10.10.10.0 255.255.255.0
Remote network: 192.168.10.0 255.255.255.0
access-list L2LVPN-FILTER permit tcp 192.168.10.0 255.255.255.0 eq 3389 10.10.10.0 255.255.255.0
One option you could considering is changing the setting you mention "sysopt connection permit-vpn"
What you could do is
So you would basically first make sure that the traffic will be allowed from the existing connections and then change the global setting and the connections for the existing L2L VPNs would still be allowed like usual.
After this you could configure the ACL rules you want for this new connection.
I personally find the "no sysopt connection permit-vpn" solution a lot simpler and convinient when limiting VPN traffic than configuring separate VPN Filter ACLs. Especially in the cases of L2L VPN
- Jouni
07-09-2013 05:06 AM
Hi Jouni
It woould be really helpfull if you can share config as example.
For outside--
source ip : 192.168.110.15
destination ip : 10.30.11.5 & 10.30.11.10
remote peer : 212.39.6.141
Need to allow only ports for client : 80,443,1433
07-09-2013 05:14 AM
Hi,
I guess you mean the VPN Filter way then. I personally prefer to use the other way though.
access-list L2LVPN-FILTER remark Allow only certain ports for remote site
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 80
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 443
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 1433
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 80
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 443
access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 1433
group-policy L2LVPN-POLICY internal
group-policy L2LVPN-POLICY attributes
vpn-filter value L2LVPN-FILTER
tunnel-group 212.39.6.141 type ipsec-l2l
tunnel-group 212.39.6.141 general-attributes
default-group-policy L2LVPN-POLICY
For example the above
- Jouni
07-09-2013 06:32 AM
Thanks Jouni..Its working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide