Solved: VPN filtering

jacobs_son · ‎04-14-2010

Hello all, very quick one for you:

I want to create a L2L tunnel that allows all traffic in one direction for management purposes, and just port 80 traffic back in the other direction.

I'm guessing this isn't possible with just the match access-lists (they need to match in the SA right?), so is creating a VPN filter the right way to go?

Any advice welcome.

Thanks.

Federico Coto Fajardo · ‎04-14-2010

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

View solution in original post

Kelvin Willacey · ‎04-14-2010

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

View solution in original post

Jennifer Halim · ‎04-15-2010

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

View solution in original post

Federico Coto Fajardo · ‎04-14-2010

Hi,

The devices involved in the L2L tunnel are ASAs?

If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.

The filter refers to an ACL where you specify the permitted traffic.

Federico.

Kelvin Willacey · ‎04-14-2010

You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

jacobs_son · ‎04-15-2010

Hi, thanks for the replies.

The devices at both ends are ASA's. To be honest I wasn't sure if I could just do something like "permit ip 10.0.0.0/24 10.1.0.0/24" at one end in the match statement and "permit tcp 10.1.0.0/24 10.0.0.0/24 eq 80" at the other end. Do the match staements actually need to be identical for the tunnel to establish? If I did something like this and wanted to RDP from the management network, would the traffic get back because the TCP session state will already be present on the remote device, or will it not because only port 80 is allowed back the other way?

I'll go with the VPN filtering, but if anyone could clarify the points above for me that would be much appreciated.

James

Jennifer Halim · ‎04-15-2010

Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.

Example:

Site A LAN: 10.1.1.0/24

Site B LAN: 10.2.2.0/24

Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.

Here is the sample configuration on vpn-filter for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.