Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
1
Replies

Interface Access List Traffic Control

IT_-_Department
Level 1
Level 1

‎11-13-2012 11:05 AM - edited ‎03-11-2019 05:22 PM

I have a Production Router that is hosting 30+ IPSec Tunnels.  I have an ACL on the inside Interface of the Router to stop unwanted traffic from entering our LAN via the Tunnels. 

The current ACL looks like this:

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445

access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389

access-list 145 permit ip any any

access-group 145 out interface Internal

Configured this way, the traffic that I do not want (ie RDP) is not allowed from 192.168.30.0 to 10.187.10.0. 

I would like it to look more like:

access-list 145 deny   tcp any any eq 3389

access-list 145 deny   tcp any any eq 135

access-list 145 deny   tcp any any eq 137

access-list 145 deny   tcp any any eq 138

access-list 145 deny   tcp any any eq 139

access-list 145 deny   tcp any any eq 445

access-list 145 deny   tcp any any eq 389

access-list 145 permit ip any any

access-group 145 out interface Internal

Now I know that the unwanted traffic could be limited by making the individual Crypto Map ACL's for the Tunnels more restrictive, but that is a logistical nightmare that I am not prepared to undertake at this time....  I am reasonably sure that the proposed ACL would work fine for my purposes on the Router.

Trick is that I want to move all of the IPSec Tunnels to a HA pair of ASA's.  In the ASA the syopt connection permit-vpn  allows the Crypto Map ACL to override the interface ACL.  It was proposed to use the no sysopt connection permit-vpn command, which it was hoped would allow the Interface ACL to be compared against the VPN Traffic entering the LAN, but it does not!  It essentially blocks all traffic from entering the LAN despite the permit ip any any at the end of the ACL. 

So....  The question is, how can I get the Interface ACL to be applied to the VPN traffic entering the LAN without disrrupting the wanted VPN traffic? 

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-13-2012 11:34 AM

Hello Eric,

So....  The question is, how can I get the Interface ACL to be applied to the VPN traffic entering the LAN without disrrupting the wanted VPN traffic?

     Actually it should allow it, now traffic innitiated on the other site will need to be allowed on the outside_to_in ACL so you also need to have the permitted traffic there!!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card