cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

735
Views
0
Helpful
7
Replies
Highlighted
Beginner

ASA 5520 IPSEC L2L and ACL

Just a quick question.  I have two ASA's with a site-to-site vpn tunnel built between them.  One is at the Headquarters

site and the other is a remote site.   At the remote site, I have the following IP's as local hosts:

192.168.1.5

192.168.1.6

192.168.1.55

These workstations are attempting to access the following destination networks

10.1.1.0  /24

10.1.2.0  /24

10.1.3.0  /24

In my interesting traffic on the remote end, I've set it to use

IP  192.168.1.0   255.255.255.0   ----->   10.1.0.0   255.255.0.0

On the Central HQ side, my interesting traffic looks like

IP  10.1.0.0   255.255.0.0   -------->  192.168.1.0   255.255.255.0

So now I'm encrypting IP traffic between 10.1.0.0 /16 to 192.168.1.0 /24.   Which this part works fine.    But now I want to put an ACL on

the tunnel to ONLY allow the 3 hosts on the 192.168.1.x on certain ports to the 3 subnets.   Is this done by Group Policy for a Lan 2 Lan tunnel.  If I apply a group policy and set an IPV4 Filter.  Will this accomplish what I'm shooting for?

I'm doing this on the ASDM, so keep that in mind when trying to explain to me how to fix it.

Thanks in advance,     

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Advisor

ASA 5520 IPSEC L2L and ACL

7 REPLIES 7
Advisor

ASA 5520 IPSEC L2L and ACL

Here's a config example (CLI & ASDM).

Hope it helps.

Beginner

ASA 5520 IPSEC L2L and ACL

Am I blind and missing the link?  I'm not seeing it   I should have stayed in bed this morning! 

Advisor

ASA 5520 IPSEC L2L and ACL

Beginner

ASA 5520 IPSEC L2L and ACL

That's Fantastic!!!   Should have posted that earlier as I think I could have saved myself some time and grief.   Thanks a ton.  That's EXACTLY what I was looking for!!! 

Advisor

ASA 5520 IPSEC L2L and ACL

Good to hear. As a side note, I usually deploy a second firewall that I use to filter instead of on the ASA w/VPN. Much easier to manage.

Beginner

ASA 5520 IPSEC L2L and ACL

That does make a lot of sense.   And you primarily just use that second firewall for filtering only?

Advisor

ASA 5520 IPSEC L2L and ACL

Yup. On the second firewall I use one interface for filtering VPN and others as inside, outside, and other DMZ's. It's usually the "main" firewall that does the filtering. I then use another ASA for VPN only.