Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2524
Views
5
Helpful
4
Replies

Best way to filter VPN Traffic

Go to solution
Chris Gahlsdorf
Level 1
Level 1

‎08-20-2013 05:04 PM

We are setting up a VPN tunnel with a vendor and I want to only allow Pings, and one specific port. I thought you could do that through the crypto map on the ASA 5510 but it looks like it has to allow all IP traffic and then you filter out using a VPN Filter? Which requires changing the default sysopt setting. Do I have that right? Am I overthinking this? Normally my VPN tunnels are to other company places which I want all IP traffic.

Thanks!                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Chris Gahlsdorf

‎08-21-2013 09:08 AM

Hi,

No, they are not directly related to eachother.

You can use VPN Filter without touching the "sysopt" configuration.

Rather than configuring separate ACLs (which use different logic in the format) for each VPN I prefer to just set the "no sysopt connection permit-vpn" and filter inbound connections coming through the VPN connections on the "outside" interface ACL just like any traffic coming from behind "outside" interface.

Here is link to information about the "sysopt" command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-20-2013 11:58 PM

Hi,

There are 2 usual options

  • Configuring VPN Filter ACL for this specific L2L VPN
  • Changing the global "sysopt connection permit-vpn" setting to the "no" form

I personally prefer the "no sysopt connection permit-vpn" setting. It essentially tells the ASA to treat inbound traffic from VPN connection like any other traffic and not allow it automatically.

You say that you have existing VPN connections that serve your own company only. While it can cause problems, there should be a rather easy way to prevent it before changing the setting.

You could for example do the following

  • Determine all the networks located behind VPN connections (VPN Pools and L2L VPN remote networks)
  • Determne all the local network to which those VPN networks need access
  • Allow all traffic from remote networks to local network on the "outside" interface ACL first
  • You can use "any" instead of specifying the local IP addresses in the ACL rules if you prefer
  • Change the global sysopt setting to "no sysopt connection permit-vpn"

The above should enable you to first allow the traffic from your own VPN networks before changing the global setting mentioned earlier. Now when you change the global setting and a new connection arrives from your own VPN network, it will be matched against the "outside" interface ACL and will be allowed.

But naturally, if you prefer VPN Filter ACL yourself then thats an option also. The L2L VPN filter ACL just uses slightly different ordering of source/destination parameters and thats why I prefer to use the global setting mentioned above as it permits me to use the "outside" interface to control the VPN traffic also and keep the same logic with all my other ACLs.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Go to solution
Chris Gahlsdorf
Level 1
Level 1
In response to Jouni Forss

‎08-21-2013 09:01 AM

Thanks Jouni this is really helpful! But I thought to use the vpn-filter you had to change the global sys setting? Is that incorrect?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Chris Gahlsdorf

‎08-21-2013 09:08 AM

Hi,

No, they are not directly related to eachother.

You can use VPN Filter without touching the "sysopt" configuration.

Rather than configuring separate ACLs (which use different logic in the format) for each VPN I prefer to just set the "no sysopt connection permit-vpn" and filter inbound connections coming through the VPN connections on the "outside" interface ACL just like any traffic coming from behind "outside" interface.

Here is link to information about the "sysopt" command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful

Go to solution
Chris Gahlsdorf
Level 1
Level 1

‎08-22-2013 02:03 PM

Thanks Jouni. That was very helpful and I accomplished what I wanted to!

0 Helpful
Customers Also Viewed These Support Documents