Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Limiting Remote Traffic in a Site-to-Site VPN

I have a Site-to-Site VPN setup in a lab environment using two ASA5505s.  Site-to-Site VPN is functional however, what I wanted to do is deny all traffic from the Remote LAN and permit only one host to access the local LAN. Is this practical or can it be done? If so, what am I missing that the following ACLs do not seem to have any effect?

Remote LAN: 172.16.1.0/24
Local LAN: 192.168.1.0/24

access-list outside_access_in extended permit tcp host 172.16.1.100 host 192.168.1.100 range 5000 10000
access-list outside_access_in extended deny ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group outside_access_in in interface outside


Appreciate any help anyone can give.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Limiting Remote Traffic in a Site-to-Site VPN

Hi tsabsuavyaj,

By default, the command sysopt connection permit-vpn is enabled which will bypass your referenced interface access-list for all VPN traffic.

To resolve this, you can either:

  • Execute the command no sysopt connection permit-vpn. Exercise caution with this, as it has global effect meaning that it will interrogate interface ACLs for all incoming VPN traffic.
  • Change your proxy-ACL (aka Interesting traffic ACL) so that your remote-network is simply the host address that you'd like to have access to your network. By doing this, nothing else will be routed via your L2L tunnel from the remote-end. This ACL must be mirrored on the other side (remote side), so that proxy-ACL will need to change so that its "Local LAN" portion is only the appropriate host and nothing else.

Please let me know if you have additional questions/clarifications.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
6 REPLIES
Silver

Limiting Remote Traffic in a Site-to-Site VPN

I would suggest you to configure vpn-filters to restrict the hosts across lan to lan tunnel.

For more information, you can go through below link:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Please let me know if it helps.

Regards,

Naresh

Community Member

Re:Limiting Remote Traffic in a Site-to-Site VPN

Thanks for referencing the document. It looks close to what I am after, but I am not sure as cisco's documentation is difficult to follow through.


Sent from Cisco Technical Support Android App

Limiting Remote Traffic in a Site-to-Site VPN

Hi tsabsuavyaj,

By default, the command sysopt connection permit-vpn is enabled which will bypass your referenced interface access-list for all VPN traffic.

To resolve this, you can either:

  • Execute the command no sysopt connection permit-vpn. Exercise caution with this, as it has global effect meaning that it will interrogate interface ACLs for all incoming VPN traffic.
  • Change your proxy-ACL (aka Interesting traffic ACL) so that your remote-network is simply the host address that you'd like to have access to your network. By doing this, nothing else will be routed via your L2L tunnel from the remote-end. This ACL must be mirrored on the other side (remote side), so that proxy-ACL will need to change so that its "Local LAN" portion is only the appropriate host and nothing else.

Please let me know if you have additional questions/clarifications.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
Community Member

Limiting Remote Traffic in a Site-to-Site VPN

Kevin,

I appreciate your explanation, this makes perfect sense. However, this task appears to be more trouble than what it is worth. I will give it a shot and call it the day.

Many thanks,

Tsabsuavyaj

Community Member

Re: Limiting Remote Traffic in a Site-to-Site VPN

Kevin,

Executing the command no sysopt connection permit-vpn disable all VPN traffic completely. However, just by changing the proxy-ACL as you stated on the second bullet above works perfectly.

Example:

object network obj-local

subnet 192.168.1.100 255.255.255.255

object network obj-remote

subnet 172.16.1.100 255.255.255.255

access-list VPN-INTERESTING-TRAFFIC extended permit ip object obj-local object obj-remote

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote object network obj-local

Many thanks,

Tsabsuavyaj

Limiting Remote Traffic in a Site-to-Site VPN

Yes that first option can have significant impact because all VPN communications must then be explicitly allowed in the outside interface's ACL in order to traverse the ASA.

I'm glad that the second option worked well for you. Please note that if you haven't changed the distant-end of your L2L vpn to reflect your proxy-ACL change on your side then you may experience reliability issues with your VPN. Specifically, when the VPN goes to rekey the ACLs won't match and the VPN could go down as a result.

We're here if you need additional help.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
378
Views
10
Helpful
6
Replies
CreatePlease to create content