cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
747
Views
0
Helpful
2
Replies

Block www to host over VPN tunnel

jgonzalez79
Level 1
Level 1

Hi, I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:

access-list block_port extended deny tcp any host 10.20.10.20 eq 80

access-list block_port extended permit ip any any

access-group block_port out interface inside

These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server. So what am I doing wrong?

Thanks

Joel Gonzalez

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

jgonzalez79
Level 1
Level 1

Hi Jouni,

I went the route of creating a VPN filter access-list. I used this walk through: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Precisely what I was trying to do. Thanks for pointing me in the correct direction.

Cheers

Joel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card