cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
874
Views
5
Helpful
3
Replies

How to ACL restrict L2L Peer Connections

I'd like to restrict incoming L2L traffic to just my list of allowed peers.

 

What's the best way of accomplishing this?

1 Accepted Solution

Accepted Solutions

Hi, Yes you could do something like this:

 

object-group network VPN_PEERS
 network-object host 3.3.3.1
 network-object host 2.2.2.1

access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane

 

Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.

View solution in original post

3 Replies 3

Hi, Yes you could do something like this:

 

object-group network VPN_PEERS
 network-object host 3.3.3.1
 network-object host 2.2.2.1

access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane

 

Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.

Could I just allow the IP host, and not filter the traffic by protocol/port?

Yes of course

Review Cisco Networking for a $25 gift card