05-17-2024 01:01 AM
Hello everyone, we are currently working on an issue related to ACLs. We have two branches (site-to-site VPN) and sometimes we need to enable communication between two computers (each computer is in a different branch). We don't want to allow all communication, but we would like to limit the communication only to a port, for example only port 3389 for RDP, making an intranet website available from a computer to a server on port 80 or 443, etc. But the problem is that when we configure such a rule with a port limitation, the communication does not go through and packet capture shows VPN - encrypt - DROP. There's a mistake somewhere, but we can't figure out where. We are also not that experienced so any advice would be great. Below is an example of how an ACL is configured. In the second branch, the rule is set the same, only the source and destination are swapped. NAT is configured as well. When I set the destination port to ANY, everything works, so ACL and NAT seem ok.
This looks like a port issue. Btw in the config below, the ICMP ping works, RDP does not (Wireshark shows repeated TCP Retransmission messages).
Site A config:
Site B config:
Thank you for any input!
Solved! Go to Solution.
05-17-2024 03:59 AM
Use acl without l4 port in vpn topolgy
Use acl with l4 port in ACP rules
That solve your issue.
The ACP will filter traffic before it encrypt and filter it after it decrypt.
MHM
05-17-2024 01:52 AM - edited 05-17-2024 03:57 AM
Use extended ACL (only IP without specify port) in VPN topolgy
MHM
05-17-2024 03:16 AM
This is a Site-to-Site VPN and we can specify only an extended access list there.
05-17-2024 03:31 AM
use traffic filter to filter which traffic allow and which is not
S2S VPN ACL dont support L4 ports
MHM
05-17-2024 03:42 AM - edited 05-17-2024 03:47 AM
I am not sure if I understand correctly. So in STS VPN there is no way to limit traffic by port? Or is there a way? How would you do it? Can you be more specific in what config we should do?
05-17-2024 03:59 AM
Use acl without l4 port in vpn topolgy
Use acl with l4 port in ACP rules
That solve your issue.
The ACP will filter traffic before it encrypt and filter it after it decrypt.
MHM
05-17-2024 05:00 AM
You are a legend. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide