Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Site-to-site Filtering Web Traffic

We have a Site-to-Site VPN set up with one of our clients. We both need access to an internal website each others network.  I am trying to set up a filter to only allow port 80 both ways.  When I apply a filter only allowing port 80, I also have to open up a range of TCP port.  Why and how to get around opening up range of TCP ports. 
2 REPLIES
New Member

Re: ASA Site-to-site Filtering Web Traffic

Kurt,

Are you saying that the only traffic that you want to open the Site-to-Site tunnel is traffic to and from each others WebServer on port 80?  I don't understand what Range of TCP ports you are referring to?

If there are no other addresses (networks) used for settting up the site-to-site tunnel you could in essence change the interesting traffic ACL associated to your Tunnel.

AT HEADEND or HQ

access-list VPN-Hq2Remote ext permit tcp 192.168.200.0 255.255.255.0 gt 1024 host 192.168.100.10 eq www

AT Remote Site

access-list VPN-Remote2Hq ext permit tcp 192.168.100.0 255.255.255.0 gt 1024 host 192.168.200.10 eq www

Hope this helps,

Joe

New Member

Re: ASA Site-to-site Filtering Web Traffic

HQ

Web Serve 192.168.2.2

Users      192.168.30.X

Remote site

Web Server 10.10.10.55

Users    10.10.15.X

Current tunnel

Allow only 192.168.2.2/32 And 192.168.30.0/24  to 10.10.0.0\16

ACL's I'm trying to build. 

Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www

Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www

Deny all other traffic

The problem is that this allows the traffic to go over, but it block the connection coming back from the web server.  The only solution I have found it to open a range of TCP coming back from the web server address. 

309
Views
0
Helpful
2
Replies