Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN filters in site to site VPN

Hello Everyone,

I have a question about "VPN filter" on site to site VPN.

For Example:
 
Local network:10.1.1.0/24 and Remote Network 192.168.1.0/24

My goal is to allow a telnet connections from the remote network to the local network.That being said i also want
to make sure only "return" telnet traffic is allowed from local network. Local network should not be able to initiate any connection.

So, What exact ACE will be required in my ACL in order to accomplish the above task? I would really appriciate any help :-)

Everyone's tags (3)
3 REPLIES

Hello,The VPN filters match

Hello,

The VPN filters match bidirectionaly, unlike interface ACLs. There is also an implicit deny at the end. Your ACL will look like this:

access-list vpn_filter extended permit tcp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 23

This will allow telnet traffic from the remote subnet and return traffic, but will not allow any other traffic initiated from either side of the tunnel.

Regards,

Mike

Community Member

Thanks for the reply Mike! I

Thanks for the reply Mike! I just got a chance to test it in the lab and it didn't work with the ACE that you mentioned. I have to add the ACE for the reply traffic as well in order to make it work. So the final ACL is as below:

access-list vpn_filter extended permit tcp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 23

access-list vpn_filter extended permit tcp 10.1.1.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0

So, why would we have to add this extra ACE for the return traffic? Maybe this VPN filter ACL is not stateful!

 

Community Member

Hi sbhalodia! I believe the

Hi sbhalodia!

 

I believe the source of the problem is that your return traffic (using an arbitrary port as the destination port) is not matching your tcp port 23 acl, so the return traffic does not get routed through the VPN. That is exactly why you use IP for the interesting traffic acl and filter on the ingress interface of the firewalls/routers.

 

ie: source >>>>>> ACL (tcp port 23) on the ingress interface>> ASA/Cisco router >>>> interesting traffic ACL on IP >>>> Cisco ASA/router 

 

 

 

114
Views
0
Helpful
3
Replies
CreatePlease to create content