Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Filter for Hairpin VPNs

We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate.

A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning).

The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet. I would appreciate any assistance.

Corporate office: 10.0.0.0 255.0.0.0

Remote office: 172.20.1.0 255.255.255.0

Vendor network: 192.168.0.0 255.255.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 23

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

group-policy Vendor-filter-policy internal

group-policy Vendor-filter-policy attributes

vpn-filter value Vendor-filter

tunnel-group xxx.xxx.xxx.xxx general-attributes

default-group-policy Vendor-filter-policy

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

VPN Filter for Hairpin VPNs

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

6 REPLIES
Super Bronze

VPN Filter for Hairpin VPNs

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

New Member

VPN Filter for Hairpin VPNs

Jennifer, thanks for the reply. This scenario is the same as the following discussion as I thought it was a good idea to post another discussion since it's a different issue:

https://supportforums.cisco.com/message/3666021#3666021

Thanks for the reply.

Jeff

Super Bronze

VPN Filter for Hairpin VPNs

Hey Jeff,

Yes, I remember that

Does the VPN Filter work now?

New Member

VPN Filter for Hairpin VPNs

Jennifer, I haven't had the opportunity to apply and test but I will soon and let you know thank you.

Jeff

VIP Purple

VPN Filter for Hairpin VPNs

To understand this vpn-filter-ACL. it's important to know, that they do not use source and destination, but remote and local. Because the port 23 for the connection to the vendor is used on the remote-network, it has to be specified there where normally the source is located in an ACL.

This way of configuration is really a PITA, as the ASDM also doesn't display them correctly. I really hope cisco will implement in- and outgoing vpn-filter as it's possible on the IOS-router.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: VPN Filter for Hairpin VPNs

Karsten, thanks for the post.

Jeff

820
Views
0
Helpful
6
Replies