Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
3
Replies

Securing inbound traffic on VPN using ACL. What is best approach?

patrick morrill
Level 1
Level 1

‎11-02-2012 09:45 AM - edited ‎03-07-2019 09:49 AM

I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.

I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.

Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.

I guess the access list would look like this:

access-list 100 extended permit ip 192.168.255.0 255.255.255.0 172.20.2.0 255.255.255.0 established

Can anyone tell me if this approach will work, or indeed if this is a sound way of achieveing my goal?

All help much apprecaited.

Thanks.

Labels:
0 Helpful
3 Replies 3

fb_webuser
Level 6
Level 6

‎11-02-2012 11:13 AM

why not "access-list 100 extended permit tcp 192.168.255.0 eq 88 172.20.2.0 255.255.255.0" Or something along those lines (Assuming your KDC is on 192.168.255.0/24. Then the source port from 172.20.2.0/24 would be irrelevent.

---

Posted by WebUser Jared Eller from Cisco Support Community App

0 Helpful

fb_webuser
Level 6
Level 6

‎11-02-2012 02:37 PM

If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.

---

Posted by WebUser Tavo Medina from Cisco Support Community App

0 Helpful

fb_webuser
Level 6
Level 6

‎11-02-2012 02:37 PM

If you want only A to be able to initiate traffic then just configure PAT... Traffic from 192.168.255.0 will get translated to a single IP when it goes to the 172.20.2.0 and will keep the ports for each connection in its table so it knows how to route the replies back! Of course Site B won't be able to initiate traffic due to how PAT works. Are u using 8.3 or later? The config will be different.

---

Posted by WebUser Tavo Medina from Cisco Support Community App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card