03-22-2012 04:08 AM
Hi
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.
But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic?
ASA 5520 8.4(3)
thank you in advance
Tomasz Mowinski
Solved! Go to Solution.
03-27-2012 06:07 AM
Hi,
Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host
local network: 10.10.10.0/24
remote host: 192.168.10.10/32
The ACL filter rule would be the following:
access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0
I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.
I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.
We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.
Please rate if you found any of the info helpfull
- Jouni
03-26-2012 08:28 AM
Hi,
Thats a good question.
I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.
The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL
The Configuration command (8.2) is the following:
For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.
sysopt connection permit-vpn
no sysopt connection permit-vpn
Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.
After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.
Hope this helps
- Jouni
03-27-2012 04:13 AM
Hi Jouni
Thank you for the answer.
I would like to avoid disabling sysopt connection permit-vpn. But it looks that it is only way to manage the traffic in both directions....
But first I will try to restrict traffic from local to remote only to certain ports. And the question is - will this also allow traffic from remote to local on the same ports ?
regards
Tomasz
03-27-2012 06:07 AM
Hi,
Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host
local network: 10.10.10.0/24
remote host: 192.168.10.10/32
The ACL filter rule would be the following:
access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0
I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.
I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.
We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.
Please rate if you found any of the info helpfull
- Jouni
03-27-2012 06:48 AM
Thank you. So it looks that the only way is to use other device to filter the traffic.
best regards
Tomasz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide