Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

trying to apply filtering on vpn tunnel but cant be applied !!!

hi all

i have asa 8.4 ios with topology as :

 

10.2.0.0/16---------asa1----------internet------asa2------10.0.0.0/16

on asa1 we have ipsec tunnel to asa2 and its fine

i just want to make some rules on the ips  of vpn tunnel to have an access list applied.

im tyrying to apply ahmad rule on the vpn tunnel ips but no luck !!!!!!

 

but all my trials get failed ??!!!

 

can someone tell me why cant apply rules on the tunnel local lan??

 

i will post here my running config.

i tried the policy vpn but no luck

here  is my config :

Result of the command: "show run"

: Saved
:
ASA Version 8.0(4) 
!
terminal width 511
hostname asa5505
domain-name ids-server.secureserver.net
enable password NE.k5UQQa8uyFkBo encrypted
passwd NE.k5UQQa8uyFkBo encrypted
names
name xx.140.228 publicip description natting the branch
name xx.189.48 a1
name xx.178.213 a2
name xx.35.180 a3
name xx.78.65 a4
name xx.41.35 a5
name 8.8.8.8 a7
name 8.8.4.4 a8
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x0.229 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ids-server.secureserver.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service openvpn tcp-udp
 description openvpn port
 port-object eq 1194
object-group service pptp tcp-udp
 description pptp
 port-object eq 1723
object-group network Restriction
 description Restriction to specific ips
 network-object host 10.0.0.1
 network-object host a3
 network-object host a4
 network-object host a5
 network-object host a8
 network-object host a7
 network-object host a1
 network-object host a2
access-list outside_access_in extended permit tcp any any eq ftp-data 
access-list outside_access_in extended permit tcp any any eq ftp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq 42 
access-list outside_access_in extended permit udp any any eq nameserver 
access-list outside_access_in extended permit tcp any any eq domain 
access-list outside_access_in extended permit udp any any eq domain 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in extended permit tcp any any eq 8443 
access-list outside_access_in extended permit tcp any any eq 2006 
access-list outside_access_in extended permit tcp any any eq 8447 
access-list outside_access_in extended permit tcp any any eq 9999 
access-list outside_access_in extended permit tcp any any eq 2086 
access-list outside_access_in extended permit tcp any any eq 2087 
access-list outside_access_in extended permit tcp any any eq 2082 
access-list outside_access_in extended permit tcp any any eq 2083 
access-list outside_access_in extended permit tcp any any eq 2096 
access-list outside_access_in extended permit tcp any any eq 2095 
access-list outside_access_in extended permit tcp any any eq 8880 
access-list outside_access_in extended deny tcp any any eq telnet 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended deny tcp any any eq imap4 
access-list outside_access_in extended deny tcp any any eq 1433 
access-list outside_access_in extended deny tcp any any eq 3306 
access-list outside_access_in extended deny tcp any any eq 9080 
access-list outside_access_in extended deny tcp any any eq 9090 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any source-quench 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit ip 10.2.0.0 255.255.0.0 any 
access-list outside_access_in extended permit object-group TCPUDP any any object-group openvpn 
access-list outside_access_in extended permit ip 10.8.0.0 255.255.255.0 any 
access-list outside_access_in extended permit tcp any any object-group pptp 
access-list outside_access_in extended permit ip 10.9.0.0 255.255.255.0 any 
access-list outside_access_in extended permit gre any any 
access-list inside_access_in remark Only allow those and go block the other rules
access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 object-group Restriction 
access-list inside_access_in remark deny the others
access-list inside_access_in extended deny ip 10.2.0.0 255.255.0.0 any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit object-group TCPUDP any any object-group openvpn 
access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 10.2.0.0 255.255.0.0 
access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 10.8.0.0 255.255.255.0 
access-list inside_access_in extended permit ip 10.9.0.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 10.2.0.0 255.255.0.0 10.9.0.0 255.255.255.0 
access-list inside_access_in extended permit tcp any any object-group pptp 
access-list outside_1_cryptomap extended permit ip any 10.2.0.0 255.255.0.0 
access-list outside_1_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any 
access-list inside_nat0_outbound extended permit ip any 10.2.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 any 
access-list inside_nat0_outbound extended permit ip any 10.8.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.255.0 any 
access-list spaceinsight_splitTunnelAcl standard permit any 
access-list spaceflight_splitTunnelAcl standard permit any 
access-list ahmad extended permit ip 10.2.0.0 255.255.0.0 object-group Restriction 
access-list ahmad extended deny ip 10.2.0.0 255.255.0.0 any 
access-list ahmad extended permit ip any any 
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip local pool warriors 10.0.0.100-10.0.0.150 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (outside) 1 10.2.0.0 255.255.0.0
static (outside,inside) 10.0.0.1 x.x.140.216 netmask 255.255.255.255 
static (inside,outside)x,x.140.216 10.0.0.1 netmask 255.255.255.255 
static (inside,inside) x.x.140.233 10.0.0.2 netmask 255.255.255.255 
static (outside,inside) 10.0.0.2 x.x.140.233 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.254 1
route outside 0.0.0.0 255.255.255.0 x.x.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peerx.x.30.140 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3400
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-filter value ahmad
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ahmad
 vpn-tunnel-protocol IPSec 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-filter value ahmad
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username identysol password yjb8.0BXBtvyY3hC encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group x.x.30.140 type ipsec-l2l
tunnel-groupx.x.30.140 general-attributes
 default-group-policy GroupPolicy2
tunnel-group x.x.30.140 ipsec-attributes
 pre-shared-key *
tunnel-group identysol type remote-access
tunnel-group identysol ipsec-attributes
 pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
!
prompt hostname context 
Cryptochecksum:5fc7b68cf1f1dc6170cc6a15ec3e4106
: end

 

===================================

 

Everyone's tags (1)
122
Views
0
Helpful
0
Replies
CreatePlease login to create content