Re: ASA Site-to-site Filtering Web Traffic

Kurt Weeks · ‎12-24-2009

We have a Site-to-Site VPN set up with one of our clients. We both need access to an internal website each others network. I am trying to set up a filter to only allow port 80 both ways. When I apply a filter only allowing port 80, I also have to open up a range of TCP port. Why and how to get around opening up range of TCP ports.

jsanchez · ‎12-24-2009

Kurt,

Are you saying that the only traffic that you want to open the Site-to-Site tunnel is traffic to and from each others WebServer on port 80? I don't understand what Range of TCP ports you are referring to?

If there are no other addresses (networks) used for settting up the site-to-site tunnel you could in essence change the interesting traffic ACL associated to your Tunnel.

AT HEADEND or HQ

access-list VPN-Hq2Remote ext permit tcp 192.168.200.0 255.255.255.0 gt 1024 host 192.168.100.10 eq www

AT Remote Site

access-list VPN-Remote2Hq ext permit tcp 192.168.100.0 255.255.255.0 gt 1024 host 192.168.200.10 eq www

Hope this helps,

Joe

Kurt Weeks · ‎12-28-2009

HQ

Web Serve 192.168.2.2

Users 192.168.30.X

Remote site

Web Server 10.10.10.55

Users 10.10.15.X

Current tunnel

Allow only 192.168.2.2/32 And 192.168.30.0/24 to 10.10.0.0\16

ACL's I'm trying to build.

Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www

Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www

Deny all other traffic

The problem is that this allows the traffic to go over, but it block the connection coming back from the web server. The only solution I have found it to open a range of TCP coming back from the web server address.