11-02-2012 09:45 AM - edited 03-07-2019 09:49 AM
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.
Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
I guess the access list would look like this:
access-list 100 extended permit ip 192.168.255.0 255.255.255.0 172.20.2.0 255.255.255.0 established
Can anyone tell me if this approach will work, or indeed if this is a sound way of achieveing my goal?
All help much apprecaited.
Thanks.
11-02-2012 11:13 AM
why not "access-list 100 extended permit tcp 192.168.255.0 eq 88 172.20.2.0 255.255.255.0" Or something along those lines (Assuming your KDC is on 192.168.255.0/24. Then the source port from 172.20.2.0/24 would be irrelevent.
---
Posted by WebUser Jared Eller from Cisco Support Community App
11-02-2012 02:37 PM
If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.
---
Posted by WebUser Tavo Medina from Cisco Support Community App
11-02-2012 02:37 PM
If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.
---
Posted by WebUser Tavo Medina from Cisco Support Community App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide