cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
473
Views
0
Helpful
3
Replies
patrick morrill
Beginner

Securing inbound traffic on VPN using ACL. What is best approach?

I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.

I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.

Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.

I guess the access list would look like this:

access-list 100 extended permit ip 192.168.255.0 255.255.255.0 172.20.2.0 255.255.255.0 established

Can anyone tell me if this approach will work, or indeed if this is a sound way of achieveing my goal?

All help much apprecaited.

Thanks.

3 REPLIES 3
fb_webuser
Frequent Contributor

why not "access-list 100 extended permit tcp 192.168.255.0 eq 88 172.20.2.0 255.255.255.0" Or something along those lines (Assuming your KDC is on 192.168.255.0/24. Then the source port from 172.20.2.0/24 would be irrelevent.

---

Posted by WebUser Jared Eller from Cisco Support Community App

fb_webuser
Frequent Contributor

If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.

---

Posted by WebUser Tavo Medina from Cisco Support Community App

fb_webuser
Frequent Contributor

If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.

---

Posted by WebUser Tavo Medina from Cisco Support Community App