10-22-2014 01:15 AM - edited 03-11-2019 09:58 PM
Dear Support,
Currently, I have configured VPN site to site between two ASA ( Branch A and Branch B ). Normally, VPN site to site always permit full range of ip address in interesting traffic ( Access-control-List ). But for my scenario I want to allow only some protocols (like allow only tcp or udp port) across VPN Tunnel. So, my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?
Please find some information as attached file and as below:
Branch A ip address: 192.168.1.0/24
Branch B ip address: 172.16.1.0/24
+++ Interesting Traffic from Branch A to Branch B: access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ( Note: Use full range ip address from Branch A to Branch B )
+++ Interesting Traffic from Branch B to Branch A: access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp ( Note: permit only icmp from Branch B to Branch A )
+++ Result after testing
I can not ping from Branch A to Branch B, but I can ping from Branch B to Branch A. Could you advise me what is the problem?
your help is very appreciate!!!!
Regards,
10-22-2014 04:41 AM
this is mistake
access-list BrB-BrA extended permit tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq icmp
tcp equal icmp ?
should be
access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
my question is how could I configure VPN Site to Site on Cisco ASA to permit only specific port?
you need additional access-list
share your config
10-26-2014 07:16 PM
Hi Support,
The main point is : from BrA to BrB they allow full range of ip address or all protocols, But from BrB to BrA they allow only one icmp protocol ( not all protocol ).
The question is : how could I allow VPN site to site traffic on this scenario?
thank you
10-26-2014 07:35 PM
Hi Sothengse,
The vpn tunnel is being triggered based on the crypto access lists, please try to apply the access lists is this way if you want to allow only icmp traffic between both ends:
On Branch B:
access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
On Branch A:
access-list BrA-BrB extended permit icmp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
Regards,
Aref
10-27-2014 10:31 PM
Hi support,
Above access-list is permit icmp traffic between both ends, but if I use like below
On Branch A use:
access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
And
On Branch B use:
access-list BrB-BrA extended permit icmp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Does this VPN work or not?
if don't work, what should I do?
your help is very appreciate
thanks
10-28-2014 06:43 AM
No that would allow only icmp traffic, but if you want to allow everything except "filter" some vpn traffic between end hosts based on ports/portocols you should apply it in a way similar to this:
These access lists are needed to trigger the tunnel based on any traffic:
access-list BrA-BrB extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list BrB-BrA extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
This access list is needed to filter the vpn traffic based on port/protocol, in this example port 80:
access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0
access-list vpn-filtering extended permit ip any any
Add/Modify you group policy:
group-policy EXAMPLE-GP internal
group-policy EXAMPLE-GP attributes
vpn-filter value vpn-filtering
Add/modify your tunnel Group:
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy EXAMPLE-GP
PS: Please note that in the above access list to filter vpn traffic, the source address should be always the destination address (Branch B assuming we are applying these commands on Branch A ASA) and the port should be always the port used on the destination end.
For example this ace would block www traffic from Branch A to Branch B:
access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 eq www 192.168.1.0 255.255.255.0
And this one would block www traffic from Branch B to Branch A:
access-list vpn-filtering extended deny tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www
Regards,
Aref
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide