Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10366
Views
0
Helpful
7
Replies

Site 2 Site VPN access-list

tom_griep
Level 1
Level 1

‎10-24-2011 06:41 AM

When setting up a site-2-site vpn, do I need to setup an access list to alow the traffic from the remote network to the local network or does the remote network automatically have access to the local network?

Labels:
0 Helpful
7 Replies 7

Eugene Khabarov
Level 7
Level 7

‎10-24-2011 06:48 AM

During Site 2 Site VPN setup you have two completely diffenet sets of ACL. First one is so called crypto ACL that is refered in 'crypto map' as 'match' statement. It is used to define interesting traffic that should be encrypted. Another one is

set ip access-group under crypto map. It is optional and if this statement (not acl) is not specified, than all traffic is allowed.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful

tom_griep
Level 1
Level 1
In response to Eugene Khabarov

‎10-24-2011 08:52 AM

How would I setup an access-list to block everything from the remote site except port 21 TCP and port 7700UDP?

0 Helpful

Eugene Khabarov
Level 7
Level 7
In response to tom_griep

‎10-24-2011 11:17 AM

What do you need to block from remote site? Ingress to the remote site or egress

From the remote site traffic? Suppose you want to allow only ingress tcp port 21 and udp 7700 as destination ports:

Ip access-list extended 100 permit tcp any any eq 21

Ip access-list extended 100 permit udp any any eq 7700

Crypto map your map number

Set ip access-list 100 in

Sent from Cisco Technical Support iPhone App

0 Helpful

tom_griep
Level 1
Level 1
In response to Eugene Khabarov

‎10-24-2011 11:53 AM

I should of specified that I am setting this up on an ASA5510 running IOS 8.4.2.

The commands that you posted don't work. Do you have any examples for an ASA5510 running IOS 8.4.2?

0 Helpful

Eugene Khabarov
Level 7
Level 7
In response to tom_griep

‎10-24-2011 12:13 PM

ASA is running ASAOS, not IOS. It is whole different story. Please post your configuration here.

0 Helpful

tom_griep
Level 1
Level 1
In response to Eugene Khabarov

‎10-24-2011 12:47 PM

Sorry for the confision.

Here is the full config

ASA Version 8.4(2)

!

hostname asa5510-3

domain-name tag.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 7.5.2.7 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 10

ip address 192.168.125.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.23.8.36

domain-name checkpt.com

object network obj-192.168.125.0

subnet 192.168.125.0 255.255.255.0

object network obj-192.168.125.10

host 192.168.125.10

object network obj-7.5.2.7

host 7.5.2.7

object network obj-192.168.125.50

host 192.168.125.50

description TAG Receiver

object network DMS1

host 192.168.125.10

object service ftp

service tcp source eq ftp

object service obj-7700

service udp source eq 7700

object-group service DMPPorts tcp-udp

description DMP Ports

port-object range 2001 2001

object-group service DMS-Inbound tcp

description Inbound ports for the DMS server

port-object eq ftp

port-object range 5001 5100

object-group service DMS-Outbound tcp

description DMS outbount ports for remote service upgrades port 2101

port-object eq 2101

object-group service Clickit tcp

description Ports needed to access the Clickit server

port-object eq www

port-object eq https

object-group network og-net-Rem

network-object 10.40.0.0 255.252.0.0

network-object 10.44.0.0 255.254.0.0

network-object 10.2.255.160 255.255.255.240

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in remark RDP access to the DMS server for TAG

access-list outside_access_in extended permit tcp any host 192.168.125.10 eq 3389

access-list vpntoTAG extended permit ip host 7.5.2.7 object-group og-net-Rem

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-106.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj-192.168.125.10 interface service ftp ftp

nat (inside,outside) source static obj-192.168.125.50 interface service obj-7700 obj-7700

!

object network obj-192.168.125.0

nat (inside,outside) dynamic interface

object network DMS1

nat (inside,outside) static interface service tcp 3389 3389

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 7.5.2.1 1

route inside 172.23.8.0 255.255.252.0 192.168.125.1 1

route inside 192.168.125.0 255.255.255.0 192.168.125.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.23.8.201 255.255.255.255 inside

http 172.23.8.200 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set vpntoTAG esp-aes esp-sha-hmac

crypto map abcmap 1 match address vpntoTAG

crypto map abcmap 1 set peer 6.2.5.1

crypto map abcmap 1 set ikev1 transform-set vpntoTAG

crypto map abcmap 1 set security-association lifetime seconds 3600

crypto map abcmap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh 172.23.8.201 255.255.255.255 inside

ssh 172.23.8.200 255.255.255.255 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 6.2.5.1 type ipsec-l2l

tunnel-group 6.2.5.1 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

What I would like to do is allow access from object-group og-net-Rem to have access to this host obj-192.168.125.10 using these ports DMS-Inbound "FTP" and

allow access from object-group og-net-Rem to have access to this host obj-192.168.125.50 using these ports obj-7700

The og-net-Rem is the remote site.

0 Helpful

Eugene Khabarov
Level 7
Level 7
In response to tom_griep

‎10-25-2011 08:11 AM

Look at this:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s8_711.html#wp1091195

You need to enter to the configuration:

no sysopt connection permit-vpn

Than you can perform restrictions as always.

Add to the outside access-list rules:

access-list outside_access_in extended permit tcp object-group og-net-Rem object obj-192.168.125.10 eq ftp

access-list outside_access_in extended permit udp object-group og-net-Rem object obj-192.168.125.10 eq 7700

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents