Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2784
Views
5
Helpful
3
Replies

Access rules over Site to Site VPN

sangram palande
Level 1
Level 1

‎11-28-2011 12:15 AM

Hi all,

I am Network admin at a organisation in Pune. We have site-to-site VPN with another organisation in Amsterdam.

       Pune                                                                 Amsterdam

ASA 5510(ASDM 6.3 ASA 8.3)     <------------>     ASA 5510(ASDM 6.2 ASA 8.2)

There is full (ip to ip) connectivity between two sites.

There have been numerous security attacks on the servers in Amsterdam. If the AMS network is compromised it could harm my local network.

So I want to apply Access-rules to the VPN such that only Pune site will be having full access to AMS but AMS will not be able to access resources at the Pune location.

I do not want to change the 'Bidirectional' connection type of the VPN.Also I do not want any config on AMS side.

I will appreciate all the help I get.

Thank you.

Labels:
0 Helpful
3 Replies 3

ajay chauhan
Level 7
Level 7

‎11-28-2011 03:03 AM

Hi,

you can do it two ways -

1) Stop traffic at inside interface for pune permit only whatever is required.

2) Put VPN filter ACL at AMS to stop unwanted traffic,

Thanks

Ajay

0 Helpful

Patrick0711
Level 3
Level 3

‎11-28-2011 06:02 PM

VPN filters won't really work as expected because you can't define a direction when source and destination ports aren't defined.  For example:

access-list vpn-filter permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

or

access-list vpn-filter permit tcp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

These filter rules, when applied to a group policy for your tunnel, will become bidirectional.  You can't specify which side is allowed to initiate a connection.

I would suggest (if you don't have a lot of other tunnels that will be affected) that you remove 'sysopt connection permit-vpn' and begin filtering on your outside interface to prevent inbound connections from the destination while allowing outbound connectivity from your internal interface.  Given that your outbound connections are TCP, the return traffic will be allowed since it's already in the fast path.

sangram palande
Level 1
Level 1
In response to Patrick0711

‎11-28-2011 07:07 PM

Thanks guys.

1. There are other VPNs on the device so cannot remove 'sysopt connection permit-vpn'.

2. Also, Cannot filter on inside interface as I have around 20 subinterfaces inside.

3. Let's say,AMS=192.168.1.0/24 and PUNE=172.16.1.0/24

    If I configure access-list,

    access-list vpn-filter deny ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

    It will block traffic from 172.16.1.0 -> 192.168.1.0,which is not desirable.

4. It is also not feasible to filter at the port level.

I am really thankful for all the replies.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents