Interface Access List Traffic Control

IT_-_Department — Tue, 12 Mar 2019 00:22:55 GMT

I have a Production Router that is hosting 30+ IPSec Tunnels. I have an ACL on the inside Interface of the Router to stop unwanted traffic from entering our LAN via the Tunnels.

The current ACL looks like this:

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445

access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389

access-list 145 permit ip any any

access-group 145 out interface Internal

Configured this way, the traffic that I do not want (ie RDP) is not allowed from 192.168.30.0 to 10.187.10.0.

I would like it to look more like:

access-list 145 deny tcp any any eq 3389

access-list 145 deny tcp any any eq 135

access-list 145 deny tcp any any eq 137

access-list 145 deny tcp any any eq 138

access-list 145 deny tcp any any eq 139

access-list 145 deny tcp any any eq 445

access-list 145 deny tcp any any eq 389

access-list 145 permit ip any any

access-group 145 out interface Internal

Now I know that the unwanted traffic could be limited by making the individual Crypto Map ACL's for the Tunnels more restrictive, but that is a logistical nightmare that I am not prepared to undertake at this time.... I am reasonably sure that the proposed ACL would work fine for my purposes on the Router.

Trick is that I want to move all of the IPSec Tunnels to a HA pair of ASA's. In the ASA the syopt connection permit-vpn allows the Crypto Map ACL to override the interface ACL. It was proposed to use the no sysopt connection permit-vpn command, which it was hoped would allow the Interface ACL to be compared against the VPN Traffic entering the LAN, but it does not! It essentially blocks all traffic from entering the LAN despite the permit ip any any at the end of the ACL.

So.... The question is, how can I get the Interface ACL to be applied to the VPN traffic entering the LAN without disrrupting the wanted VPN traffic?

Interface Access List Traffic Control

Julio Carvajal — Tue, 13 Nov 2012 19:34:07 GMT

Hello Eric,

So.... The question is, how can I get the Interface ACL to be applied to the VPN traffic entering the LAN without disrrupting the wanted VPN traffic?

Actually it should allow it, now traffic innitiated on the other site will need to be allowed on the outside_to_in ACL so you also need to have the permitted traffic there!!!

Regards,

Julio

topic Interface Access List Traffic Control in Network Security

Interface Access List Traffic Control

Interface Access List Traffic Control