02-14-2018 10:12 AM - edited 02-21-2020 07:21 AM
I'd like to restrict incoming L2L traffic to just my list of allowed peers.
What's the best way of accomplishing this?
Solved! Go to Solution.
02-14-2018 11:01 AM
Hi, Yes you could do something like this:
object-group network VPN_PEERS
network-object host 3.3.3.1
network-object host 2.2.2.1
access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane
Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.
02-14-2018 11:01 AM
Hi, Yes you could do something like this:
object-group network VPN_PEERS
network-object host 3.3.3.1
network-object host 2.2.2.1
access-list OUTSIDE_IF extended permit udp object-group VPN_PEERS host 1.1.1.1 eq isakmp
access-group OUTSIDE_IF in interface OUTSIDE control-plane
Notice the "control-plane" command at the end of the access-group, this will apply to traffic destined to the ASA not traffic through the ASA. You can still apply an ACL to the outside interface, they can co-exist.
02-14-2018 03:27 PM
Could I just allow the IP host, and not filter the traffic by protocol/port?
02-14-2018 03:32 PM
Yes of course
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide