VPN filter and service from remote clients

ericchenli · ‎03-22-2012

We have remote VPN setup with Cisco ASA 5510. By using VPN filter, I can follow the guide and make client to use all necessary server services. (dns, ssh etc). However, is there any way that allow inside server access remote VPN client's services, ex. let inside server ssh to remote VPN client?

Consider remote access VPN filter ACL's syntax, I have to always let source be the "remote VPN client PC", the dest is "inside firewall server", how can I let the other way traffice going?

Jouni Forss · ‎03-26-2012

Hi,

To my understanding VPN Client filter lists are configured in the same way as any ASA interface ACL. You take into consideration only one direction of the traffic.

With L2L VPNs I think you need to configure the ACL so that every rule/ACE start with the remote hosts IP address.

If you have for example local host 10.10.10.10 and remote host 192.168.10.10

Opening SSH for both directions in L2L filter ACL would be done the following way

access-list L2L-VPN-FILTER remark L2L-VPN Filter ACL

access-list L2L-VPN-FILTER remark SSH from LOCAL to REMOTE

access-list L2L-VPN-FILTER permit tcp host 192.168.10.10 eq 22 host 10.10.10.10

access-list L2L-VPN-FILTER remark SSH from REMOTE to LOCAL

access-list L2L-VPN-FILTER permit tcp host 192.168.10.10 host 10.10.10.10 eq 22

So if the Client VPN works fine only thing preventing you from connecting to the remote host should be your normal interface ACLs for the interface you are connecting from on the local network behind ASA and its NAT rules. And possibly the remote hosts firewall software.

- Jouni