We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate.
A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning).
The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet. I would appreciate any assistance.
To understand this vpn-filter-ACL. it's important to know, that they do not use source and destination, but remote and local. Because the port 23 for the connection to the vendor is used on the remote-network, it has to be specified there where normally the source is located in an ACL.
This way of configuration is really a PITA, as the ASDM also doesn't display them correctly. I really hope cisco will implement in- and outgoing vpn-filter as it's possible on the IOS-router.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...