Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN filtering and access from local to remote site

Hi

I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.

But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic?

ASA 5520 8.4(3)

thank you in advance

Tomasz Mowinski

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

VPN filtering and access from local to remote site

Hi,

Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host

local network: 10.10.10.0/24

remote host: 192.168.10.10/32

The ACL filter rule would be the following:

access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0

I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.

I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.

We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.

Please rate if you found any of the info helpfull

- Jouni

4 REPLIES
Super Bronze

Re: VPN filtering and access from local to remote site

Hi,

Thats a good question.

I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.

The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL

The Configuration command (8.2) is the following:

sysopt connection permit-vpn

For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command  in global configuration mode to allow the traffic to bypass interface  access lists. Group policy and per-user authorization access lists still  apply to the traffic. To disable this feature, use the no form of this command.

sysopt connection permit-vpn

no sysopt connection permit-vpn

Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.

After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.

Hope this helps

- Jouni

New Member

VPN filtering and access from local to remote site

Hi Jouni

Thank you for the answer.

I would like to  avoid disabling sysopt connection permit-vpn. But it looks that it is  only way to manage the traffic in both directions....

But  first I will try to restrict traffic from local to remote only to  certain ports. And the question is - will this also allow traffic from  remote to local on the same ports ?

regards

Tomasz

Super Bronze

VPN filtering and access from local to remote site

Hi,

Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host

local network: 10.10.10.0/24

remote host: 192.168.10.10/32

The ACL filter rule would be the following:

access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0

I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.

I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.

We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.

Please rate if you found any of the info helpfull

- Jouni

New Member

VPN filtering and access from local to remote site

Thank you. So it looks that the only way is to use other device to filter the traffic.

best regards

Tomasz

363
Views
0
Helpful
4
Replies