Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access rules over Site to Site VPN

Hi all,

I am Network admin at a organisation in Pune. We have site-to-site VPN with another organisation in Amsterdam.

       Pune                                                                 Amsterdam

ASA 5510(ASDM 6.3 ASA 8.3)     <------------>     ASA 5510(ASDM 6.2 ASA 8.2)

There is full (ip to ip) connectivity between two sites.

There have been numerous security attacks on the servers in Amsterdam. If the AMS network is compromised it could harm my local network.

So I want to apply Access-rules to the VPN such that only Pune site will be having full access to AMS but AMS will not be able to access resources at the Pune location.

I do not want to change the 'Bidirectional' connection type of the VPN.Also I do not want any config on AMS side.

I will appreciate all the help I get.

Thank you.

3 REPLIES

Access rules over Site to Site VPN

Hi,

you can do it two ways -

1) Stop traffic at inside interface for pune permit only whatever is required.

2) Put VPN filter ACL at AMS to stop unwanted traffic,

Thanks

Ajay

Bronze

Access rules over Site to Site VPN

VPN filters won't really work as expected because you can't define a direction when source and destination ports aren't defined.  For example:

access-list vpn-filter permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

or

access-list vpn-filter permit tcp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

These filter rules, when applied to a group policy for your tunnel, will become bidirectional.  You can't specify which side is allowed to initiate a connection.

I would suggest (if you don't have a lot of other tunnels that will be affected) that you remove 'sysopt connection permit-vpn' and begin filtering on your outside interface to prevent inbound connections from the destination while allowing outbound connectivity from your internal interface.  Given that your outbound connections are TCP, the return traffic will be allowed since it's already in the fast path.

New Member

Access rules over Site to Site VPN

Thanks guys.

1. There are other VPNs on the device so cannot remove 'sysopt connection permit-vpn'.

2. Also, Cannot filter on inside interface as I have around 20 subinterfaces inside.

3. Let's say,AMS=192.168.1.0/24 and PUNE=172.16.1.0/24

    If I configure access-list,

    access-list vpn-filter deny ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

    It will block traffic from 172.16.1.0 -> 192.168.1.0,which is not desirable.

4. It is also not feasible to filter at the port level.

I am really thankful for all the replies.

1367
Views
0
Helpful
3
Replies
CreatePlease login to create content