Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

VPN filters in site to site VPN

sbhalodia
Level 1
Level 1

‎03-25-2014 05:03 PM

Hello Everyone,

I have a question about "VPN filter" on site to site VPN.

For Example:
 
Local network:10.1.1.0/24 and Remote Network 192.168.1.0/24

My goal is to allow a telnet connections from the remote network to the local network.That being said i also want
to make sure only "return" telnet traffic is allowed from local network. Local network should not be able to initiate any connection.

So, What exact ACE will be required in my ACL in order to accomplish the above task? I would really appriciate any help :-)

Labels:
0 Helpful
3 Replies 3

Mike Williams
Level 5
Level 5

‎03-25-2014 08:19 PM

Hello,

The VPN filters match bidirectionaly, unlike interface ACLs. There is also an implicit deny at the end. Your ACL will look like this:

access-list vpn_filter extended permit tcp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 23

This will allow telnet traffic from the remote subnet and return traffic, but will not allow any other traffic initiated from either side of the tunnel.

Regards,

Mike

0 Helpful

sbhalodia
Level 1
Level 1
In response to Mike Williams

‎03-26-2014 09:42 AM

Thanks for the reply Mike! I just got a chance to test it in the lab and it didn't work with the ACE that you mentioned. I have to add the ACE for the reply traffic as well in order to make it work. So the final ACL is as below:

access-list vpn_filter extended permit tcp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 23

access-list vpn_filter extended permit tcp 10.1.1.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0

So, why would we have to add this extra ACE for the return traffic? Maybe this VPN filter ACL is not stateful!

 

0 Helpful

attila1980
Level 1
Level 1

‎05-21-2014 12:03 AM

Hi sbhalodia!

 

I believe the source of the problem is that your return traffic (using an arbitrary port as the destination port) is not matching your tcp port 23 acl, so the return traffic does not get routed through the VPN. That is exactly why you use IP for the interesting traffic acl and filter on the ingress interface of the firewalls/routers.

 

ie: source >>>>>> ACL (tcp port 23) on the ingress interface>> ASA/Cisco router >>>> interesting traffic ACL on IP >>>> Cisco ASA/router 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents