Solved: Re: How to ACL restrict L2L Peer Connections

brian.emil.harris · ‎02-14-2018

I'd like to restrict incoming L2L traffic to just my list of allowed peers.

What's the best way of accomplishing this?

Rob Ingram · ‎02-14-2018

Hi, Yes you could do something like this:

object-group network VPN_PEERS
network-object host 3.3.3.1
network-object host 2.2.2.1

access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane

Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.

View solution in original post

Rob Ingram · ‎02-14-2018

Hi, Yes you could do something like this:

object-group network VPN_PEERS
network-object host 3.3.3.1
network-object host 2.2.2.1

access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane

Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.

brian.emil.harris · ‎02-14-2018

Could I just allow the IP host, and not filter the traffic by protocol/port?

Rob Ingram · ‎02-14-2018

Yes of course