Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
6
Replies

Firepower Extended ACL does not work

Go to solution
B A
Level 1
Level 1

‎05-17-2024 01:01 AM

Hello everyone, we are currently working on an issue related to ACLs. We have two branches (site-to-site VPN) and sometimes we need to enable communication between two computers (each computer is in a different branch). We don't want to allow all communication, but we would like to limit the communication only to a port, for example only port 3389 for RDP, making an intranet website available from a computer to a server on port 80 or 443, etc. But the problem is that when we configure such a rule with a port limitation, the communication does not go through and packet capture shows VPN - encrypt - DROP. There's a mistake somewhere, but we can't figure out where. We are also not that experienced so any advice would be great. Below is an example of how an ACL is configured. In the second branch, the rule is set the same, only the source and destination are swapped. NAT is configured as well. When I set the destination port to ANY, everything works, so ACL and NAT seem ok.

This looks like a port issue. Btw in the config below, the ICMP ping works, RDP does not (Wireshark shows repeated TCP Retransmission messages).


Site A config:

a1.pnga2.png

 

Site B config:

b1.pngb2.png

 

Thank you for any input!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to B A

‎05-17-2024 03:59 AM

Use acl without l4 port in vpn topolgy 

Use acl with l4 port in ACP rules 

That solve your issue.

The ACP will filter traffic before it encrypt and filter it after it decrypt.

MHM

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎05-17-2024 01:52 AM - edited ‎05-17-2024 03:57 AM

Use extended ACL (only IP without specify port) in VPN topolgy 

MHM

0 Helpful

Go to solution
B A
Level 1
Level 1
In response to MHM Cisco World

‎05-17-2024 03:16 AM

This is a Site-to-Site VPN and we can specify only an extended access list there.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to B A

‎05-17-2024 03:31 AM

use traffic filter to filter which traffic allow and which is not
S2S VPN ACL dont support L4 ports 

MHM

0 Helpful

Go to solution
B A
Level 1
Level 1
In response to MHM Cisco World

‎05-17-2024 03:42 AM - edited ‎05-17-2024 03:47 AM

I am not sure if I understand correctly. So in STS VPN there is no way to limit traffic by port? Or is there a way? How would you do it? Can you be more specific in what config we should do?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to B A

‎05-17-2024 03:59 AM

Use acl without l4 port in vpn topolgy 

Use acl with l4 port in ACP rules 

That solve your issue.

The ACP will filter traffic before it encrypt and filter it after it decrypt.

MHM

0 Helpful

Go to solution
B A
Level 1
Level 1
In response to MHM Cisco World

‎05-17-2024 05:00 AM

You are a legend. Thanks!

0 Helpful
Customers Also Viewed These Support Documents