Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asymmetric access control in site to site vpn

Hi,

I'm trying to set up a site to site VPN between my two ASA 5510 ver 8.3. Both site A and site B can access each other without any problem. Is it possible to configure the site A firewall so that site A can fully access site B but site B can only access a subset of traffic to site A?

I have tried the followings at site A but it wouldn't stop the traffic from site B:

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

Thanks,

Simon

22 REPLIES

Re: asymmetric access control in site to site vpn

Your ACL is in the wrong direction, it would be best to write an acl for the "inbound" on the inside interface on site b, to deny what you do not what them to do, and permit everything else.

HTH>

New Member

Re: asymmetric access control in site to site vpn

For testing, you could also check the acl defined on the crypto map on both sides as part of the interesting traffic that will flow over the tunnel.

New Member

Re: asymmetric access control in site to site vpn

acl for "inbound" works only from site B.

Is there any way at site A to specify the traffic to accept from site B?

Thanks,

Simon

New Member

Re: asymmetric access control in site to site vpn

Simon,

Another way to do that will be using VPN Filter ACL. You can use this link as reference:

http://www.cisco.com/application/pdf/paws/99103/pix-asa-vpn-filter.pdf

The Filter will work just locally in the ASA that has this set up. This will allow or drop the traffic that is coming from site B to site A.

**** Note: Please be sure you create the ACL in the correct way (Source as destination and destination as source, see link above).

New Member

Re: asymmetric access control in site to site vpn

Hi Walter,

I think this is what I needed, I'll try it out.

Thanks very much for your help.

Simon.

New Member

Re: asymmetric access control in site to site vpn

Hi Walter,

vpn-filter is no good for my situation, it's still basically bi-directional. I achieve fully asymmetric control by using "no sysopt connection permit-vpn" together with acl on my outside interface. However, I feel uncomfortable of using private addresses on the outside interface. Do you know if there is any security risk of doing this?

Thanks,

Simon

Re: asymmetric access control in site to site vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn

command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

Suppose I don't trust the remote site, is it possible to configure the "local" firewall to allow all outgoing traffic but deny all incoming traffic by using group policy and per-user access lists?

Thanks,

Simon

Re: asymmetric access control in site to site vpn

Yes

A Group-policy ACL

A Interface ACL

As previosuly described in this thread.

HTH>

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

Sorry, I'm confused. Were you referring to your email on June 29 of writing an acl for the inbound on the inside interface on the remote site to stop traffic to site a?

Thanks,

Simon

Re: asymmetric access control in site to site vpn

That is a possibility, listen you have various options available to you.  I personaly resitrict traffic as close to the "source" as possible, this heps me troubleshoot.

Since you actually want to restrict traffic once it has arrived at site A, you have 2 options.

1) Filter the "inbound" traffic from site B via an acl on the VPN profile after it's decrypted @ site A

2) Filter the "inboud" trarrfic from site B via an ACL and apply it on the "inside" interface in the "outbound" direction.

HTH>

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

Is option (1) using vpn-filter?

I did try option (2) but it wouldn't stop any traffic. What I did was as follows in site A

   access-list inside_access_out extended deny ip any any

   access-group inside_access_out out interface inside

Am I missing something?

Thanks,

Simon

Re: asymmetric access control in site to site vpn

Hi Simon,

As previously posted - VPN Filter http://www.cisco.com/application/pdf/paws/99103/pix-asa-vpn-filter.pdf

Can you post your complete config of what you tried, there maybe a typo that is tripping you up?

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

Please find attached my configurations.

I have two local networks maxbel-lan and ktm-lan. I am trying to

- allow all traffic from maxbel-lan to remote-site

- stop all traffic from remote-site to maxbel-lan

- allow only rdp from ktm-lan to remote-site

- allow only rdp from remote-site to ktm-lan

I tried the followings for testing but it wouldn't stop traffic from remote-site to ktm-lan:

  access-list ktm-lan_access_out extended deny ip any any

  access-group ktm-lan_access_out out interface ktm-lan

Thanks,

Simon

New Member

Re: asymmetric access control in site to site vpn

Hi Simon,

I think Andrew pointed you in the right  direction, but you need the "no" statement before "sysopt connection  permit-vpn".

This stops all vpn traffic unless you specify an  access-list.

Regards,

Gaston Bougie

New Member

Re: asymmetric access control in site to site vpn

Hi Gaston,

I did get it to work using "no sysopt connection permit-vpn" but the acl needs to be applied to the outside interface. I feel so uncomfortable allowing access from the outside interface and I am looking for an alternate solution.

Thanks,

Simon

Re: asymmetric access control in site to site vpn

I have checekd your config - and you are not filtering or blocking any traffic from the VPN to the LAN.

Do you want to block VPN traffic from the TrustPoint1 VPN?

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

Yes, I would like to block VPN traffic from other site to the LAN. Can you please let me know how I can do it?

Thanks,

Simon

Re: asymmetric access control in site to site vpn

Well considering it's an "inside" interface I would do something like:-

access-list inside-out deny tcp > <> eq <>

access-list inside-out deny udp > <> eq <>

access-list inside-out permit ip any any

access-group inside-out out interface inside

Restrict what you don't want them to do - then permit everything else.  Remember this is placed on the "outbound" on the interface, so you do need the permit IP any any, otherwise nothing else will be allowed onto the LAN!

HTH>

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

I just tried the followings but it wouldn't stop the traffic:

access-list ktm_access_out deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out permit ip any any
access-group ktm_access_out out interface ktm

Actually, running-config shows them as

access-list ktm_access_out extended deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out extended permit ip any any

access-group ktm_access_out out interface ktm

The acl is not triggered at all according to the log.

Thanks,

Simon

Re: asymmetric access control in site to site vpn

Try removing the objects in the acl and use specific IP subnets using the correcty notation.

New Member

Re: asymmetric access control in site to site vpn

Hi Andrew,

I tried the followings but it still doesn't work.

access-list ktm_access_out deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-group ktm_access_out out interface ktm

When I run show running-config, they became

access-list ktm_access_out extended deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out extended permit ip any any
access-group ktm_access_out out interface ktm

Mine is an ASA 5510 at ver 8.31.

Thanks,

Simon

585
Views
5
Helpful
22
Replies