10-24-2011 06:41 AM
When setting up a site-2-site vpn, do I need to setup an access list to alow the traffic from the remote network to the local network or does the remote network automatically have access to the local network?
10-24-2011 06:48 AM
During Site 2 Site VPN setup you have two completely diffenet sets of ACL. First one is so called crypto ACL that is refered in 'crypto map' as 'match' statement. It is used to define interesting traffic that should be encrypted. Another one is
set ip access-group
---
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."
10-24-2011 08:52 AM
How would I setup an access-list to block everything from the remote site except port 21 TCP and port 7700UDP?
10-24-2011 11:17 AM
What do you need to block from remote site? Ingress to the remote site or egress
From the remote site traffic? Suppose you want to allow only ingress tcp port 21 and udp 7700 as destination ports:
Ip access-list extended 100 permit tcp any any eq 21
Ip access-list extended 100 permit udp any any eq 7700
Crypto map your map number
Set ip access-list 100 in
Sent from Cisco Technical Support iPhone App
10-24-2011 11:53 AM
I should of specified that I am setting this up on an ASA5510 running IOS 8.4.2.
The commands that you posted don't work. Do you have any examples for an ASA5510 running IOS 8.4.2?
10-24-2011 12:13 PM
ASA is running ASAOS, not IOS. It is whole different story. Please post your configuration here.
10-24-2011 12:47 PM
Sorry for the confision.
Here is the full config
ASA Version 8.4(2)
!
hostname asa5510-3
domain-name tag.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 7.5.2.7 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 10
ip address 192.168.125.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.23.8.36
domain-name checkpt.com
object network obj-192.168.125.0
subnet 192.168.125.0 255.255.255.0
object network obj-192.168.125.10
host 192.168.125.10
object network obj-7.5.2.7
host 7.5.2.7
object network obj-192.168.125.50
host 192.168.125.50
description TAG Receiver
object network DMS1
host 192.168.125.10
object service ftp
service tcp source eq ftp
object service obj-7700
service udp source eq 7700
object-group service DMPPorts tcp-udp
description DMP Ports
port-object range 2001 2001
object-group service DMS-Inbound tcp
description Inbound ports for the DMS server
port-object eq ftp
port-object range 5001 5100
object-group service DMS-Outbound tcp
description DMS outbount ports for remote service upgrades port 2101
port-object eq 2101
object-group service Clickit tcp
description Ports needed to access the Clickit server
port-object eq www
port-object eq https
object-group network og-net-Rem
network-object 10.40.0.0 255.252.0.0
network-object 10.44.0.0 255.254.0.0
network-object 10.2.255.160 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark RDP access to the DMS server for TAG
access-list outside_access_in extended permit tcp any host 192.168.125.10 eq 3389
access-list vpntoTAG extended permit ip host 7.5.2.7 object-group og-net-Rem
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-192.168.125.10 interface service ftp ftp
nat (inside,outside) source static obj-192.168.125.50 interface service obj-7700 obj-7700
!
object network obj-192.168.125.0
nat (inside,outside) dynamic interface
object network DMS1
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 7.5.2.1 1
route inside 172.23.8.0 255.255.252.0 192.168.125.1 1
route inside 192.168.125.0 255.255.255.0 192.168.125.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.23.8.201 255.255.255.255 inside
http 172.23.8.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set vpntoTAG esp-aes esp-sha-hmac
crypto map abcmap 1 match address vpntoTAG
crypto map abcmap 1 set peer 6.2.5.1
crypto map abcmap 1 set ikev1 transform-set vpntoTAG
crypto map abcmap 1 set security-association lifetime seconds 3600
crypto map abcmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 172.23.8.201 255.255.255.255 inside
ssh 172.23.8.200 255.255.255.255 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 6.2.5.1 type ipsec-l2l
tunnel-group 6.2.5.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
What I would like to do is allow access from object-group og-net-Rem to have access to this host obj-192.168.125.10 using these ports DMS-Inbound "FTP" and
allow access from object-group og-net-Rem to have access to this host obj-192.168.125.50 using these ports obj-7700
The og-net-Rem is the remote site.
10-25-2011 08:11 AM
Look at this:
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s8_711.html#wp1091195
You need to enter to the configuration:
no sysopt connection permit-vpn
Than you can perform restrictions as always.
Add to the outside access-list rules:
access-list outside_access_in extended permit tcp object-group og-net-Rem object obj-192.168.125.10 eq ftp
access-list outside_access_in extended permit udp object-group og-net-Rem object obj-192.168.125.10 eq 7700
---
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide