Solved: VPN tunnel help

Anukalp S · ‎07-09-2013

Hello..

I am facing an issue on VPN tunnel. I am running several L2L vpn tunnel in my ASA and configured "sysopt connection permit-vpn". Currently i am setting up a new l2l tunnel and i want to restrict some ports from remote end to my end servers but i am unable to do that due to i believe "sysopt connection permit-vpn". I cannot remove this config as it will impact others tunnel.

Pls help me how could i allow only specfic ports into l2l tunnel from outside.

Jouni Forss · ‎07-09-2013

Hi,

I guess you mean the VPN Filter way then. I personally prefer to use the other way though.

access-list L2LVPN-FILTER remark Allow only certain ports for remote site

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 1433

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 1433

group-policy L2LVPN-POLICY internal

group-policy L2LVPN-POLICY attributes

vpn-filter value L2LVPN-FILTER

tunnel-group 212.39.6.141 type ipsec-l2l

tunnel-group 212.39.6.141 general-attributes

default-group-policy L2LVPN-POLICY

For example the above

Created VPN Filter ACL
Created a Group Policy to which the VPN Filter ACL is attached with the command "vpn-filter value"
Attached the Group Policy to the L2L VPN connection under the "tunnel-group"

- Jouni

View solution in original post

Karsten Iwen · ‎07-09-2013

You can use the vpn-filter for that:

1) configure an ACL where you specify the allowed traffic from your remote-side.

2) attach this ACL to a group-policy.

3) attach the group-policy to your tunnel-group.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Jouni Forss · ‎07-09-2013

Also,

Remember that if you are going to configure a Filter ACL for the L2L VPN then the ACL format will be different.

You will always use the remote network as the source of the ACL statement. You will simply use the ports to tell what traffic is allowed.

For example allowing RDP / TCP/3389 to remote site

Local network: 10.10.10.0 255.255.255.0

Remote network: 192.168.10.0 255.255.255.0

access-list L2LVPN-FILTER permit tcp 192.168.10.0 255.255.255.0 eq 3389 10.10.10.0 255.255.255.0

One option you could considering is changing the setting you mention "sysopt connection permit-vpn"

What you could do is

Configure in your "outside" interface ACL that all traffic from the remote networks of the existing L2L VPN connections are allowed
After this change the sysopt setting to "no sysopt connection permit-vpn"

So you would basically first make sure that the traffic will be allowed from the existing connections and then change the global setting and the connections for the existing L2L VPNs would still be allowed like usual.

After this you could configure the ACL rules you want for this new connection.

I personally find the "no sysopt connection permit-vpn" solution a lot simpler and convinient when limiting VPN traffic than configuring separate VPN Filter ACLs. Especially in the cases of L2L VPN

- Jouni

Anukalp S · ‎07-09-2013

Hi Jouni

It woould be really helpfull if you can share config as example.

For outside--

source ip : 192.168.110.15

destination ip : 10.30.11.5 & 10.30.11.10

remote peer : 212.39.6.141

Need to allow only ports for client : 80,443,1433

Jouni Forss · ‎07-09-2013