cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
365
Views
0
Helpful
6
Replies

Firepower Extended ACL does not work

B A
Level 1
Level 1

Hello everyone, we are currently working on an issue related to ACLs. We have two branches (site-to-site VPN) and sometimes we need to enable communication between two computers (each computer is in a different branch). We don't want to allow all communication, but we would like to limit the communication only to a port, for example only port 3389 for RDP, making an intranet website available from a computer to a server on port 80 or 443, etc. But the problem is that when we configure such a rule with a port limitation, the communication does not go through and packet capture shows VPN - encrypt - DROP. There's a mistake somewhere, but we can't figure out where. We are also not that experienced so any advice would be great. Below is an example of how an ACL is configured. In the second branch, the rule is set the same, only the source and destination are swapped. NAT is configured as well. When I set the destination port to ANY, everything works, so ACL and NAT seem ok.

This looks like a port issue. Btw in the config below, the ICMP ping works, RDP does not (Wireshark shows repeated TCP Retransmission messages).


Site A config:

a1.pnga2.png

 

Site B config:

b1.pngb2.png

 

Thank you for any input!

1 Accepted Solution

Accepted Solutions

Use acl without l4 port in vpn topolgy 

Use acl with l4 port in ACP rules 

That solve your issue.

The ACP will filter traffic before it encrypt and filter it after it decrypt.

MHM

View solution in original post

6 Replies 6

Use extended ACL (only IP without specify port) in VPN topolgy 

MHM

This is a Site-to-Site VPN and we can specify only an extended access list there.

use traffic filter to filter which traffic allow and which is not
S2S VPN ACL dont support L4 ports 

MHM

I am not sure if I understand correctly. So in STS VPN there is no way to limit traffic by port? Or is there a way? How would you do it? Can you be more specific in what config we should do?

Use acl without l4 port in vpn topolgy 

Use acl with l4 port in ACP rules 

That solve your issue.

The ACP will filter traffic before it encrypt and filter it after it decrypt.

MHM

You are a legend. Thanks!