Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1636
Views
0
Helpful
7
Replies

Applying an ACL to a route-based IPsec VPN tunnel

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-13-2023 01:51 PM

We have a route-based VPN configured to a vendor, and I attempted to apply an access list to the tunnel interface. All traffic was blocked. I've not been able to find documentation on how to apply and ACL for this type of VPN,  but this isn't working. Our side only needs to query the vendor's server via SQL:

access-list VENDOR_IN extended permit tcp host 10.2.3.231 10.110.0.0 255.255.0.0 eq 1433
access-list VENDOR_OUT extended permit ip 10.110.0.0 255.255.0.0 host 10.2.3.231

access-group VENDOR_IN in interface vti-interface_100
access-group VENDOR_OUT out interface vti-interface_100

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-13-2023 02:27 PM - edited ‎09-13-2023 02:29 PM

You should only need access rules for incoming traffic on the VTI interface (as long as you are not bypassing access list for VPN connections.) Traffic in the outbound direction should be filtered on the ingress interface where that is actually entering the ASA.

That being said, if 10.2.3.231 is the remote side and you are querying the remote side using SQL, then the SQL port should be part of the source.

access-list VENDOR_IN extended permit tcp host 10.2.3.231 eq 1433 10.110.0.0 255.255.0.0

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ABaker94985

‎09-14-2023 06:15 AM

Route based VPN for ASA and you want filter for traffic pass.

That work I think you need only to apply acl to tunnel interface ""nameif"" of route based VPN not to tunnel source.

And also you need no sysop permit vpn

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-13-2023 02:02 PM

what device is this ? ASA  or router ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-13-2023 02:04 PM

My bad. It's an ASA.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎09-13-2023 02:27 PM - edited ‎09-13-2023 02:29 PM

You should only need access rules for incoming traffic on the VTI interface (as long as you are not bypassing access list for VPN connections.) Traffic in the outbound direction should be filtered on the ingress interface where that is actually entering the ASA.

That being said, if 10.2.3.231 is the remote side and you are querying the remote side using SQL, then the SQL port should be part of the source.

access-list VENDOR_IN extended permit tcp host 10.2.3.231 eq 1433 10.110.0.0 255.255.0.0

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-14-2023 05:40 AM

Marius, I appreciate your info, but the ACL example just isn't making sense to me. Just to set things straight, 10.2.3.231 is our source, and it's reaching across the tunnel to a host in 10.100.0.0/16 on the SQL port. Installing an ACL with 1433 as the source port seems to me that you're making an ACL for a stateless firewall. I don't want anything coming back from the vendor that's initiated from his end, hence a "deny ip any any" from 10.110.0.0/16 to 10.2.3.231, which is to be applied on the VTI interface. Also, based on what I'm understanding, since the SQL query will be initiated from our end, and that ACL will be applied on the Ethernet interface, correct?

You've brought up some ideas in my head about VTI interfaces. My concept of traffic flow through these needs to be shored up. I'm just not grasping inbound and outbound flows with respect to the inside interface of the firewall.

 

Thanks for your time.

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-14-2023 06:12 AM

I'm beginning to understand the concept here, so thanks for your patience. You have to think of the ACLs applied to VTI interfaces differently from a normal interface, so I'm probably OK with the ACL now. I'll have to think about this some more.

We also have "no sysopt connection permit-vpn" configured, and there is no entry in the OUTSIDE ACL for traffic from the vendor to come into our network. Does that mean no traffic can be initiated from the vendor, as is the case with policy-based VPNs? I wasn't sure if the "no sysopt" command also worked with route-based tunnels, and that was the main reason for trying to apply an ACL on the VTI interface.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ABaker94985

‎09-14-2023 06:15 AM

Route based VPN for ASA and you want filter for traffic pass.

That work I think you need only to apply acl to tunnel interface ""nameif"" of route based VPN not to tunnel source.

And also you need no sysop permit vpn

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-14-2023 09:24 AM

You are so welcome

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card