Hi support,Above access-list

Sotheng Se · ‎10-22-2014

Dear Support,

Currently, I have configured VPN site to site between two ASA ( Branch A and Branch B ). Normally, VPN site to site always permit full range of ip address in interesting traffic ( Access-control-List ). But for my scenario I want to allow only some protocols (like allow only tcp or udp port) across VPN Tunnel. So, my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?

Please find some information as attached file and as below:

Branch A ip address: 192.168.1.0/24

Branch B ip address: 172.16.1.0/24

+++ Interesting Traffic from Branch A to Branch B: access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ( Note: Use full range ip address from Branch A to Branch B )

+++ Interesting Traffic from Branch B to Branch A: access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp ( Note: permit only icmp from Branch B to Branch A )

+++ Result after testing

I can not ping from Branch A to Branch B, but I can ping from Branch B to Branch A. Could you advise me what is the problem?

your help is very appreciate!!!!

Regards,

Tagir Temirgaliyev · ‎10-22-2014

this is mistake

access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp

tcp equal icmp ?

should be

access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?

you need additional access-list

share your config

Sotheng Se · ‎10-26-2014

Hi Support,

The main point is : from BrA to BrB they allow full range of ip address or all protocols, But from BrB to BrA they allow only one icmp protocol ( not all protocol ).

The question is : how could I allow VPN site to site traffic on this scenario?

thank you

Aref Alsouqi · ‎10-26-2014

Hi Sothengse,

The vpn tunnel is being triggered based on the crypto access lists, please try to apply the access lists is this way if you want to allow only icmp traffic between both ends:

On Branch B:

access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

On Branch A:

access-list BrA-BrB extended permit icmp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

Regards,

Aref

Sotheng Se · ‎10-27-2014

Hi support,

Above access-list is permit icmp traffic between both ends, but if I use like below

On Branch A use:

access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

And

On Branch B use:

access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Does this VPN work or not?

if don't work, what should I do?

your help is very appreciate

thanks

Aref Alsouqi · ‎10-28-2014

No that would allow only icmp traffic, but if you want to allow everything except "filter" some vpn traffic between end hosts based on ports/portocols you should apply it in a way similar to this:

These access lists are needed to trigger the tunnel based on any traffic:

access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

This access list is needed to filter the vpn traffic based on port/protocol, in this example port 80:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0
access-list vpn-filtering extended permit ip any any

Add/Modify you group policy:

group-policy EXAMPLE-GP internal
group-policy EXAMPLE-GP attributes
vpn-filter value vpn-filtering

Add/modify your tunnel Group:

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy EXAMPLE-GP

PS: Please note that in the above access list to filter vpn traffic, the source address should be always the destination address (Branch B assuming we are applying these commands on Branch A ASA) and the port should be always the port used on the destination end.

For example this ace would block www traffic from Branch A to Branch B:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0

And this one would block www traffic from Branch B to Branch A:

access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www

Regards,

Aref

How to permit specific port ( permit only port that we want ) with VPN site to site on cisco asa