Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrict Site-To-Site Access.

Hi there.

Got a very simple Site to Site VPN setup.

LAN1, 172.16.0.0/24 |----ASA-----------------| INTERNET |-----------------ASA----|192.168.0.0/24, LAN2

Is it some what possible to restrict access from LAN1 -> LAN2 over VPN.

How is this done? And on which unit is the ACL placed? Both ends?

Say i have HostA on LAN1 that want to access HostB on LAN2 on port 80.

And say i have HostB on LAN2 that want to access HostA on LAN1 on port 443

As per default as far as I know all access is allowed.

Thanks!

9 REPLIES
Bronze

Re: Restrict Site-To-Site Access.

Hi,

yes it is possible to limit access but it depends on how your asa is configured. I think by default option "sysopt connection permit-vpn" is enabled so any traffic passed tunnel an decryptet on remote site is allowed and bypass ACL control.

If you disable this option so it start control traffic by ACL defined in your ASA boxes.

Also "interesting " traffic which should be encrypted and pass tunnel is specified in crypto map.

Please se this link which describes sysopt option:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html

Best regards,

Jan

New Member

Restrict Site-To-Site Access.

Hi Jan.

ATM the crypto map i just basic:

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

Would the best soloution be to only allow the specific traffic in the cryptomap acl, if this is possible at all?

Or to have a separate VPN-FILTER acl?

Regards,

Søren

Bronze

Re: Restrict Site-To-Site Access.

Hi Søren,

because there is mostly problem with configuring L2L tunnels and cryptomap and other thing must match to establish IPSec tunnel so I would leave your cryptomap simple.

You can use VPN-FILTER but I would disable sysopt connection permit-vpn and then create ACL for specific traffic.

HTH,

Jan

New Member

Re: Restrict Site-To-Site Access.

Hi Jan.

Great that was my initial thought.

But i'm not sure how to implement this ACL.

I've read some places that the acl needs to be placed on the "outside" interface?

And i've read other places that it need's to be placed under the tunnelgroup?

Here is my config if that may help:

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 2.2.2.3 255.255.255.0

!

object-group network all_networks

network-object 172.16.0.0 255.255.255.0

network-object 192.168.0.0 255.255.255.0

object-group network inside_networks

network-object 172.16.0.0 255.255.255.0

object-group network remote_networks

network-object 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip object-group inside_networks object-group all_networks

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.2 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 1.1.1.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xxxxx

Of course edited from the real config.

Bronze

Re: Restrict Site-To-Site Access.

Hi Søren,

you already have ACL applied on outside interface is this command:

access-group outside_access_in in interface outside

And ACL is:

access-list outside_access_in extended permit icmp any any. In this case you have permited just ping.

So when you add next rules in ACL outside_access_in which will match traffic in your L2L tunnel so it should work.

Regards,

Jan

New Member

Re: Restrict Site-To-Site Access.

Hi Jan.

I'm aware of that, it's just that Cisco's site states the following:

"An ACL that is used for a vpn-filter must not also be used for an interface access-group."

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,

Søren    

Bronze

Re: Restrict Site-To-Site Access.

Yes you are right but i am talking about normal ACL without usign vpn-filter and sysopt disabled.

So if you want to use vpn-filter do it like document describes.

Regards,

Jan

New Member

Restrict Site-To-Site Access.

Hi Jan.

Ah okay.

So it would actually be possible to use my outside_access_in to define VPN traffic with the sysopt disabled?

Regards,

Søren

Bronze

Restrict Site-To-Site Access.

Hi Søren,

yes it is possible to use your existing ACL. Please notice that traffic from LAN1 to LAN2 have to be denied on ASA2 and also if you want limit traffic from LAN2 to LAN1 you have to modify ACL on ASA1 because it is incoming traffic from outside to inside.

Ragrds,

Jan

Please rate my posts if you consider they are helpful

367
Views
0
Helpful
9
Replies
CreatePlease login to create content