Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel help

Hello..

I am facing an issue on VPN tunnel. I am running several L2L vpn tunnel in my ASA and configured "sysopt connection permit-vpn". Currently i am setting up a new l2l tunnel and i want to restrict some ports from remote end to my end servers but i am unable to do that due to i believe "sysopt connection permit-vpn". I cannot remove this config as it will impact others tunnel.

Pls help me how could i allow only specfic ports into l2l tunnel from outside.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: VPN tunnel help

Hi,

I guess you mean the VPN Filter way then. I personally prefer to use the other way though.

access-list L2LVPN-FILTER remark Allow only certain ports for remote site

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 1433

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 1433

group-policy L2LVPN-POLICY internal

group-policy L2LVPN-POLICY attributes

  vpn-filter value L2LVPN-FILTER

tunnel-group 212.39.6.141 type ipsec-l2l

tunnel-group 212.39.6.141 general-attributes

  default-group-policy L2LVPN-POLICY

For example the above

  • Created VPN Filter ACL
  • Created a Group Policy to which the VPN Filter ACL is attached with the command "vpn-filter value"
  • Attached the Group Policy to the L2L VPN connection under the "tunnel-group"

- Jouni

5 REPLIES
VIP Purple

VPN tunnel help

You can use the vpn-filter for that:

1) configure an ACL where you specify the allowed traffic from your remote-side.

2) attach this ACL to a group-policy.

3) attach the group-policy to your tunnel-group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Super Bronze

VPN tunnel help

Also,

Remember that if you are going to configure a Filter ACL for the L2L VPN then the ACL format will be different.

You will always use the remote network as the source of the ACL statement. You will simply use the ports to tell what traffic is allowed.

For example allowing RDP / TCP/3389 to remote site

Local network: 10.10.10.0 255.255.255.0

Remote network: 192.168.10.0 255.255.255.0

access-list L2LVPN-FILTER permit tcp 192.168.10.0 255.255.255.0 eq 3389 10.10.10.0 255.255.255.0

One option you could considering is changing the setting you mention "sysopt connection permit-vpn"

What you could do is

  • Configure in your "outside" interface ACL that all traffic from the remote networks of the existing L2L VPN connections are allowed
  • After this change the sysopt setting to "no sysopt connection permit-vpn"

So you would basically first make sure that the traffic will be allowed from the existing connections and then change the global setting and the connections for the existing L2L VPNs would still be allowed like usual.

After this you could configure the ACL rules you want for this new connection.

I personally find the "no sysopt connection permit-vpn" solution a lot simpler and convinient when limiting VPN traffic than configuring separate VPN Filter ACLs. Especially in the cases of L2L VPN

- Jouni

New Member

VPN tunnel help

Hi Jouni

It woould be really helpfull if you can share config as example.

For outside--

source ip : 192.168.110.15

destination ip : 10.30.11.5 & 10.30.11.10

remote peer : 212.39.6.141

Need to allow only ports for client : 80,443,1433

Super Bronze

Re: VPN tunnel help

Hi,

I guess you mean the VPN Filter way then. I personally prefer to use the other way though.

access-list L2LVPN-FILTER remark Allow only certain ports for remote site

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.5 eq 1433

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 80

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 443

access-list L2LVPN-FILTER permit tcp host 192.168.110.15 host 10.30.11.10 eq 1433

group-policy L2LVPN-POLICY internal

group-policy L2LVPN-POLICY attributes

  vpn-filter value L2LVPN-FILTER

tunnel-group 212.39.6.141 type ipsec-l2l

tunnel-group 212.39.6.141 general-attributes

  default-group-policy L2LVPN-POLICY

For example the above

  • Created VPN Filter ACL
  • Created a Group Policy to which the VPN Filter ACL is attached with the command "vpn-filter value"
  • Attached the Group Policy to the L2L VPN connection under the "tunnel-group"

- Jouni

New Member

VPN tunnel help

Thanks Jouni..Its working.

138
Views
0
Helpful
5
Replies