Solved: Remote A VPN (bind source and destination peer ip)

tabish bhat · ‎05-01-2012

Hi All,

I am accessing my office networking throught RAS VPN as i have a static ip on my home modem,Now i want to create an access-list so that i should be able to access my office network through that static ip only ,I tried with given below ACL'S on my office firewall but it did not work for me.

Example access-list 101 permit udp host 10.0.0.1 interface outside eq 500

access-list 101 permit esp host 10.0.0.1 interface outside

access-group 101 in interface outside

Any idea,

Thanks inadvance

Regards

Tash

Gustavo Medina · ‎05-02-2012

Hello Guys,

Tash, so you say that now you purchased an static IP for your home and now you want your ASA to only accept that IP. you are using the Cisco VPN Client right?

Amatahen, you are right the sysopt connection permit-vpn will allow the encrypted traffic to bypass the access-group but this is not encrypted traffic but negotiation traffic, since this is AM we´re gonna use 3 packets (UDP 500 but if any side is behind NAT packet #2 and #3 will go in UDP 4500 instead of 500)

The access-group filters through-the-box traffic NOT to-the-box traffic so in order to accomplish this you would need to create an access-group allowing your home IP but the trick is that your access-group must be configured with the control-plane keyword at the end. Be careful, you will also need to allow ssh, https, etc depending on the services you are running on that device.

Regards,

View solution in original post

a.matahen · ‎05-02-2012

Hello Tash,

By default, all encrypted traffic bypass interface access-list as per command:

sysopt connection permit-vpn

Which is not available in the "Show Run" but you can see it with "Show run all"

disable it and then you will be able to control VPN based on the ACL, keep in mind, if you are using IPsec Remote Access VPN Client, you will need to open udp port 4500.

HTH

AMatahen

tabish bhat · ‎05-02-2012

Hi AMatahen,

Thanks for your prompt reply

I tried to access RAS VPN with different Source IP (different service provider) but still i am able to access the outside interface of firewall,And i coud not see any hit count on the applied access-list.

Regards

Tash

Gustavo Medina · ‎05-02-2012

Hello Guys,

Tash, so you say that now you purchased an static IP for your home and now you want your ASA to only accept that IP. you are using the Cisco VPN Client right?

Amatahen, you are right the sysopt connection permit-vpn will allow the encrypted traffic to bypass the access-group but this is not encrypted traffic but negotiation traffic, since this is AM we´re gonna use 3 packets (UDP 500 but if any side is behind NAT packet #2 and #3 will go in UDP 4500 instead of 500)

The access-group filters through-the-box traffic NOT to-the-box traffic so in order to accomplish this you would need to create an access-group allowing your home IP but the trick is that your access-group must be configured with the control-plane keyword at the end. Be careful, you will also need to allow ssh, https, etc depending on the services you are running on that device.

Regards,

tabish bhat · ‎05-02-2012

Hi Gustavo,

Thanks for your reply,That's exactly what i want,Now could you please provide me the command structure for the same as i have used below given commands,but it did not work for me

access-list 101 permit udp host 10.0.0.1 interface outside eq 500

access-list 101 permit esp host 10.0.0.1 interface outside

access-group 101 in interface outside

Hence the traffic is to the firewall not through ..So how can i bind it with control plane traffic..

awating your reply.

Regards

Tash.

tabish bhat · ‎05-02-2012

Thanks a ton Gustavo...Got it ...

Regards

Tash

Gustavo Medina · ‎05-03-2012

Cool!! Glad to know it worked!