Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5540 ACL not working for VPN access.

I'm running 8.03 code and have a simple L2L VPN configured between two sites. This is actually a test config in my lab, but I'm having trouble restricting traffic using an inside ACL.

I used the VPN Wizard to do the initial config and then added an inside (out)ACL to restrict traffic once the tunnel comes up.

The crypto map is as follows:

access-list outside_1_cryptomap extended permit ip 164.72.1.128 255.255.255.240 host SunMed_pc

Then I have an ACL to limit traffic to pinging GHC_laptop, telnet to GHC_switch and deny everything else:

access-list inside_access_out extended permit icmp host SunMed_pc host GHC_Laptop

access-list inside_access_out extended permit tcp host SunMed_pc host GHC_switch eq telnet

access-list inside_access_out extended deny ip any any

However SunMed_pc can also ping to GHC_switch and can FTP to GHC_laptop even though the 3rd entry to deny all hit counter increases when I do that.

I've attached a Word document that has the entire config along with a screen shot showing the ACL and the hits.

Do I have the ACL set up incorrectly or is the ACL in fact not working as expected?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA5540 ACL not working for VPN access.

You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.

If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.

There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559

3 REPLIES
Green

Re: ASA5540 ACL not working for VPN access.

As long as you have "sysopt connection permit-vpn", all ipsec traffic will bypass interface acl's. If you wish to filter ipsec traffic with interface acl's, then you have to enter...

no sysopt connection permit-vpn

In ASDM, this option is located at

Config -> site to site vpn -> advanced -> system options -> "enable inbound ipsec sessions to bypass interface access lists"

New Member

Re: ASA5540 ACL not working for VPN access.

If I keep sysopt connection permit-vpn, is there no way to restrict traffic? I was told to keep all IP as interesting traffic as a best practice when building L2L VPNs, but I must be able to restrict traffic.

What would be the best config method then if I simply wanted SunMed_pc to telnet to GHC_switch?

Also this ASA-5540 will strictly be for L2L VPN connections and will not be used as a firewall in anyway, and I will eventually have dozens of VPNs configured on it. With that in mind is it best to use 'sysopt connection permit-vpn'?

Green

Re: ASA5540 ACL not working for VPN access.

You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.

If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.

There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559

404
Views
0
Helpful
3
Replies
CreatePlease to create content