Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
7
Replies

ASA 5520 IPSEC L2L and ACL

Go to solution
jonesl1
Level 1
Level 1

‎11-14-2012 08:18 AM - edited ‎02-21-2020 04:47 AM

Just a quick question.  I have two ASA's with a site-to-site vpn tunnel built between them.  One is at the Headquarters

site and the other is a remote site.   At the remote site, I have the following IP's as local hosts:

192.168.1.5

192.168.1.6

192.168.1.55

These workstations are attempting to access the following destination networks

10.1.1.0  /24

10.1.2.0  /24

10.1.3.0  /24

In my interesting traffic on the remote end, I've set it to use

IP  192.168.1.0   255.255.255.0   ----->   10.1.0.0   255.255.0.0

On the Central HQ side, my interesting traffic looks like

IP  10.1.0.0   255.255.0.0   -------->  192.168.1.0   255.255.255.0

So now I'm encrypting IP traffic between 10.1.0.0 /16 to 192.168.1.0 /24.   Which this part works fine.    But now I want to put an ACL on

the tunnel to ONLY allow the 3 hosts on the 192.168.1.x on certain ports to the 3 subnets.   Is this done by Group Policy for a Lan 2 Lan tunnel.  If I apply a group policy and set an IPV4 Filter.  Will this accomplish what I'm shooting for?

I'm doing this on the ASDM, so keep that in mind when trying to explain to me how to fix it.

Thanks in advance,     

0 Helpful
1 Accepted Solution

Accepted Solutions
7 Replies 7

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-14-2012 08:35 AM

Here's a config example (CLI & ASDM).

Hope it helps.

0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Collin Clark

‎11-14-2012 08:46 AM

Am I blind and missing the link?  I'm not seeing it   I should have stayed in bed this morning! 

0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Collin Clark

‎11-14-2012 09:32 AM

That's Fantastic!!!   Should have posted that earlier as I think I could have saved myself some time and grief.   Thanks a ton.  That's EXACTLY what I was looking for!!! 

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jonesl1

‎11-14-2012 09:34 AM

Good to hear. As a side note, I usually deploy a second firewall that I use to filter instead of on the ASA w/VPN. Much easier to manage.

0 Helpful

Go to solution
jonesl1
Level 1
Level 1
In response to Collin Clark

‎11-14-2012 09:37 AM

That does make a lot of sense.   And you primarily just use that second firewall for filtering only?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jonesl1

‎11-14-2012 09:43 AM

Yup. On the second firewall I use one interface for filtering VPN and others as inside, outside, and other DMZ's. It's usually the "main" firewall that does the filtering. I then use another ASA for VPN only.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card