10-22-2014 01:15 AM - edited 03-11-2019 09:58 PM
Dear Support,
Currently, I have configured VPN site to site between two ASA ( Branch A and Branch B ). Normally, VPN site to site always permit full range of ip address in interesting traffic ( Access-control-List ). But for my scenario I want to allow only some protocols (like allow only tcp or udp port) across VPN Tunnel. So, my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?
Please find some information as attached file and as below:
Branch A ip address: 192.168.1.0/24
Branch B ip address: 172.16.1.0/24
+++ Interesting Traffic from Branch A to Branch B: access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ( Note: Use full range ip address from Branch A to Branch B )
+++ Interesting Traffic from Branch B to Branch A: access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp ( Note: permit only icmp from Branch B to Branch A )
+++ Result after testing
I can not ping from Branch A to Branch B, but I can ping from Branch B to Branch A. Could you advise me what is the problem?
your help is very appreciate!!!!
Regards,