Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2240
Views
10
Helpful
6
Replies

Limiting Remote Traffic in a Site-to-Site VPN

Go to solution
tsabsuavyaj
Level 1
Level 1

‎09-04-2013 08:55 AM

I have a Site-to-Site VPN setup in a lab environment using two ASA5505s.  Site-to-Site VPN is functional however, what I wanted to do is deny all traffic from the Remote LAN and permit only one host to access the local LAN. Is this practical or can it be done? If so, what am I missing that the following ACLs do not seem to have any effect?

Remote LAN: 172.16.1.0/24
Local LAN: 192.168.1.0/24

access-list outside_access_in extended permit tcp host 172.16.1.100 host 192.168.1.100 range 5000 10000
access-list outside_access_in extended deny ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group outside_access_in in interface outside


Appreciate any help anyone can give.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kevin P Sheahan
Level 5
Level 5

‎09-04-2013 06:50 PM

Hi tsabsuavyaj,

By default, the command sysopt connection permit-vpn is enabled which will bypass your referenced interface access-list for all VPN traffic.

To resolve this, you can either:

  • Execute the command no sysopt connection permit-vpn. Exercise caution with this, as it has global effect meaning that it will interrogate interface ACLs for all incoming VPN traffic.
  • Change your proxy-ACL (aka Interesting traffic ACL) so that your remote-network is simply the host address that you'd like to have access to your network. By doing this, nothing else will be routed via your L2L tunnel from the remote-end. This ACL must be mirrored on the other side (remote side), so that proxy-ACL will need to change so that its "Local LAN" portion is only the appropriate host and nothing else.

Please let me know if you have additional questions/clarifications.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

View solution in original post

0 Helpful
6 Replies 6

Go to solution
npokhriy
Level 1
Level 1

‎09-04-2013 10:40 AM

I would suggest you to configure vpn-filters to restrict the hosts across lan to lan tunnel.

For more information, you can go through below link:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Please let me know if it helps.

Regards,

Naresh

Go to solution
tsabsuavyaj
Level 1
Level 1

‎09-04-2013 06:44 PM

Thanks for referencing the document. It looks close to what I am after, but I am not sure as cisco's documentation is difficult to follow through.


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Kevin P Sheahan
Level 5
Level 5

‎09-04-2013 06:50 PM

Hi tsabsuavyaj,

By default, the command sysopt connection permit-vpn is enabled which will bypass your referenced interface access-list for all VPN traffic.

To resolve this, you can either:

  • Execute the command no sysopt connection permit-vpn. Exercise caution with this, as it has global effect meaning that it will interrogate interface ACLs for all incoming VPN traffic.
  • Change your proxy-ACL (aka Interesting traffic ACL) so that your remote-network is simply the host address that you'd like to have access to your network. By doing this, nothing else will be routed via your L2L tunnel from the remote-end. This ACL must be mirrored on the other side (remote side), so that proxy-ACL will need to change so that its "Local LAN" portion is only the appropriate host and nothing else.

Please let me know if you have additional questions/clarifications.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

Go to solution
tsabsuavyaj
Level 1
Level 1
In response to Kevin P Sheahan

‎09-04-2013 08:23 PM

Kevin,

I appreciate your explanation, this makes perfect sense. However, this task appears to be more trouble than what it is worth. I will give it a shot and call it the day.

Many thanks,

Tsabsuavyaj

0 Helpful

Go to solution
tsabsuavyaj
Level 1
Level 1
In response to tsabsuavyaj

‎09-04-2013 08:55 PM

Kevin,

Executing the command no sysopt connection permit-vpn disable all VPN traffic completely. However, just by changing the proxy-ACL as you stated on the second bullet above works perfectly.

Example:

object network obj-local

subnet 192.168.1.100 255.255.255.255

object network obj-remote

subnet 172.16.1.100 255.255.255.255

access-list VPN-INTERESTING-TRAFFIC extended permit ip object obj-local object obj-remote

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote object network obj-local

Many thanks,

Tsabsuavyaj

0 Helpful

Go to solution
Kevin P Sheahan
Level 5
Level 5
In response to tsabsuavyaj

‎09-04-2013 09:00 PM

Yes that first option can have significant impact because all VPN communications must then be explicitly allowed in the outside interface's ACL in order to traverse the ASA.

I'm glad that the second option worked well for you. Please note that if you haven't changed the distant-end of your L2L vpn to reflect your proxy-ACL change on your side then you may experience reliability issues with your VPN. Specifically, when the VPN goes to rekey the ACLs won't match and the VPN could go down as a result.

We're here if you need additional help.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents