cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
0
Helpful
23
Replies

block access on a site to site vpn

ronshuster
Level 1
Level 1

I have a site to site VPN (between two ASA's)which works just fine, however we want to have control on:

1) the ability for bring up the VPN tunnel if only one site initiates traffic. If that site does not initiate traffic the tunnel should not come up

2) the ability for one site to access resources from the other site but not vice versa.

Any ideas?

23 Replies 23

Posted this before, but maybe it didnt work out. Use the vpn-filter option to filter the traffic.

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq xxx

etc.

As i wrote above.The filter works.But you cannot access remote vpn subnet from the local subnet.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Sorry, there are a lot of posts to try to keep straight.

No problem, any new thoughts, solutions ?

Those are really your only 2 options. Has the other guy in this thread tried the vpn-filter? I have used it before on a l2l tunnel and worked ok.

I have tried vpn filter in L2L setup.

Although cisco claims that the filter works bidirectional it works only from the client side.The only thing that works biderectional is the icmp.

When i apply the vpn filter from my lan i cannot connect to the client side in any port.

This is the error i get every time i try to connect :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Where 172.16.10.0 is my lan and 192.168.1.0 is clients lan.

Well i think i have found the solution to filter client side on the asa not exactly as i would like to, but hey, it's a step.

Vpn filtering works in L2L,to see it working make sure that you don't have PFS enable ..........

Every rule that you create works bidirectional, remember that.

Iam joining the club!

What means Bidirectional? Does it mean

Remotesite can reply with ACKs? or Does its mean Remotesite can create SYNs when localsite is able, thats not a solution....

pengfang
Level 1
Level 1

Hi guys, hope not too late to join the club :) Here are my thought:

1 vpn-filter

As Cisco said," If TCP/UDP ports are not used with the access list, both sides can access each other", so I wrote the followed vpn-filter access-list, which can control traffic from remote site but allow all traffic to remote

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq # allow remote can access local specific tcp resource #

access-list vpnfilter extended permit udp eq # allow remote can access local specific udp resource #

access-list vpnfilter extended deny tcp any any # deny tcp traffic from remote to local #

access-list vpnfilter extended deny udp any any # deny udp traffic from remote to local #

access-list vpnfilter extended permit ip # allow local can access remote any resource, traffic originated from remote will never hit this access-list, they denied by above two ACLs#

If you want to deny all traffic from remote but allow all to remote, you can use followed vpn-filter access-list OR the second method

access-list vpnfilter extended deny tcp any any

access-list vpnfilter extended deny udp any any

access-list vpnfilter extended permit ip

2 outbound access-list on inside interface

access-list inside_access_out deny ip

access-list inside_access_out permit ip any any

access-group inside_access_out inside out

All codes not been verified, anyone could test it , please post the result, thanks.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: