Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4505
Views
0
Helpful
7
Replies

ASA 8.3 VPN access-rules

Go to solution
BigG@servebase
Level 1
Level 1

‎10-01-2010 01:23 AM

Hi, I've recently purchased an ASA 5520 to use as a VPN gateway for multiple site to site VPN tunnells. I've upgraded to version 8.3 and set up a lab environment. I have set up a simple VPN with a general permit ip rule to stert with and everything works fine. I am having trouble tightenign up the access now, if I change the access on the ASA to ICMP I can ping both ways, if I add tcp I can telnet from a workstation on the other end of the VPN, but if I change the tcp to telnet I cannot connect. the other end on the VPN is a cisco 2620XM and I match the access lists for each of the changes. I also don't quite get the direction in the ASA access list, it seems that if I want to permit tcp access from the remote host to the host behind the ASA I have to have the host behind the ASA as the source, it seems backwards??? Can any one shed any light on this? much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to BigG@servebase

‎10-01-2010 04:19 AM

Yes, you are supposed to only configure "IP" for your crypto ACL (ACL applied to your crypto map), and crypto ACL supposed to mirror image on each peer, hence when you change it to specific TCP/UDP ports, it doesn't mirror image to the other side/peer anymore.

I thought you are using ACL applied to "vpn-filter".

But from the previous post, you actually configure ACL on each interfaces.

The above are 3 different ACL that you applied differently (crypto ACL --> apply to crypto map, vpn ACL --> apply to vpn-filter, and your normal interface ACL).

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 01:41 AM

Are you configuring VPN-filter ACL?

VPN-filter is predominantly meant to be for remote access vpn filtering policy, so the direction of the ACL would be from remote end towards the local LAN.

If you are using the VPN-filter for L2L VPN tunnel, I would suggest the following:

- To allow/block traffic from remote towards local LAN, use the VPN-filter feature

- To allow/block traffic from local LAN towards remote LAN, use the ACL on your LAN (inside) interface.

0 Helpful

Go to solution
BigG@servebase
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 02:43 AM

Hi, thanks. What I've now done is permit ip local ----> remote any on the the VPN ACL's and then put more grandular ACE's in the ACL's on the interfaces. this works well for me as the VPN can be brought up for any reason but access to my servers is tied down to the specific ports I need.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to BigG@servebase

‎10-01-2010 03:21 AM

Can you please share your ACL and advise which ACE is not working?
And also who is trying to initiate connection towards which side? eg: remote is trying to telnet to local LAN, etc.

0 Helpful

Go to solution
BigG@servebase
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 03:43 AM

I think you mis understood my previous reply. I actually have it working now by making an ip any on the VPN acl as follows;

access-list outside_b2b_vpn_1_cryptomap extended permit ip object prod_lan object remotesite1_1918NET

and the applying port specific access lists to my interfaces as follows;

Providing access in from the WAN interface with the "outside_b2b_access_in" ACL

access-list outside_b2b_vpn_access_in extended permit icmp object-group vpn_remote_hosts object LBIP_1918 object-group icmp_permitted
access-list outside_b2b_vpn_access_in extended permit tcp object-group vpn_remote_hosts object LBIP_1918 eq telnet

Provide access out the LAN interface with the "inside_cp_link_access_out" ACL

access-list inside_cp_link_access_out extended permit icmp object-group vpn_remote_hosts object LBIP_1918 object-group icmp_permitted
access-list inside_cp_link_access_out extended permit tcp object-group vpn_remote_hosts object LBIP_1918 eq telnet

This works.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to BigG@servebase

‎10-01-2010 04:19 AM

Yes, you are supposed to only configure "IP" for your crypto ACL (ACL applied to your crypto map), and crypto ACL supposed to mirror image on each peer, hence when you change it to specific TCP/UDP ports, it doesn't mirror image to the other side/peer anymore.

I thought you are using ACL applied to "vpn-filter".

But from the previous post, you actually configure ACL on each interfaces.

The above are 3 different ACL that you applied differently (crypto ACL --> apply to crypto map, vpn ACL --> apply to vpn-filter, and your normal interface ACL).

0 Helpful

Go to solution
BigG@servebase
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 04:28 AM

Thanks Jennifer, it all makes sense now.

On another point, do you have any recommendations on monitoring traffic in the CLI. This firewall will be a very busy VPN gateway with approximately 300 site to site VPN tunnels so I'm looking for any info regarding filtering log output or possibly traffic capture to make future troubleshooting easier. You can imagine the log output once this is in production would be a nightmare if I cannot filter out only the detail I need. Any suggestions would be great.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to BigG@servebase

‎10-01-2010 04:36 AM

A few "show" output if you would like to check on specific peer:

show cry isa sa | i

show cry ipsec sa peer

show vpn-sessiondb detail l2l

The "show vpn-sessiondb" command can be more specific, please find the following command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s7.html#wp1306284

Good tip, use the packet tracer feature, and it would go through each packet flow, and will tell you where the problem is exactly.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents