Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
2
Replies

Block www to host over VPN tunnel

Go to solution
jgonzalez79
Level 1
Level 1

‎04-23-2012 09:28 AM - edited ‎03-11-2019 03:57 PM

Hi, I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:

access-list block_port extended deny tcp any host 10.20.10.20 eq 80

access-list block_port extended permit ip any any

access-group block_port out interface inside

These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server. So what am I doing wrong?

Thanks

Joel Gonzalez

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-23-2012 05:42 PM

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-23-2012 05:42 PM

Hi,

I havent tested a situation exactly as yours but I'd assume the reason why the configuration is failing is because to my understanding the ASA passes all VPN traffic past the interface ACLs.

I've always imagined this would only mean that it passes the outside interface access-list and not the access-lists attached to the outgoing interface of the actual connection (in your case the "inside" interface). But if the connections are indeed going through still, I guess the situation must be that the ASA passes all VPN traffic past ASA interface access-lists.

You got atleast a couple of options

  • You can issue "no sysopt connection permit-vpn
    • This will check every connection taken from behind the VPN connection to your OUTSIDE interface access-list.
    • So if you for example have L2L VPN and Client VPN, you will have to open the traffic using the remote IP addresses EVEN if they are private IP addresses. Every connection taken from behind VPN must have a permitting access-list rule.
    • You SHOULD/MUST make access-list rules to your existing VPNs before issuing this command as otherwise they will start to get blocked by your OUTSIDE interface access-list (I assume you got somekind of access-list attached to OUTSIDE interface with the direction "in")
  • You can create a VPN filter access-list
    • This access-list will be attached to your VPN connection of choice. It will only apply to traffic on that VPN connection and wont affect the ASAs rules otherwise. ( I can give you an example configuration if you tell me what connections should be allowed from INSIDE -> VPN and VPN -> INSIDE)

Please let me know which solution you think would suite you best or ask more questions.


- Jouni

0 Helpful

Go to solution
jgonzalez79
Level 1
Level 1

‎04-24-2012 07:34 AM

Hi Jouni,

I went the route of creating a VPN filter access-list. I used this walk through: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Precisely what I was trying to do. Thanks for pointing me in the correct direction.

Cheers

Joel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card