cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1170
Views
0
Helpful
6
Replies
Beginner

VPN Filter for Hairpin VPNs

We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate.

A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning).

The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet. I would appreciate any assistance.

Corporate office: 10.0.0.0 255.0.0.0

Remote office: 172.20.1.0 255.255.255.0

Vendor network: 192.168.0.0 255.255.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 23

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

group-policy Vendor-filter-policy internal

group-policy Vendor-filter-policy attributes

vpn-filter value Vendor-filter

tunnel-group xxx.xxx.xxx.xxx general-attributes

default-group-policy Vendor-filter-policy

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

VPN Filter for Hairpin VPNs

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

VPN Filter for Hairpin VPNs

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

View solution in original post

Highlighted
Beginner

VPN Filter for Hairpin VPNs

Jennifer, thanks for the reply. This scenario is the same as the following discussion as I thought it was a good idea to post another discussion since it's a different issue:

https://supportforums.cisco.com/message/3666021#3666021

Thanks for the reply.

Jeff

Highlighted
Cisco Employee

VPN Filter for Hairpin VPNs

Hey Jeff,

Yes, I remember that

Does the VPN Filter work now?

Highlighted
Beginner

VPN Filter for Hairpin VPNs

Jennifer, I haven't had the opportunity to apply and test but I will soon and let you know thank you.

Jeff

Highlighted
VIP Mentor

VPN Filter for Hairpin VPNs

To understand this vpn-filter-ACL. it's important to know, that they do not use source and destination, but remote and local. Because the port 23 for the connection to the vendor is used on the remote-network, it has to be specified there where normally the source is located in an ACL.

This way of configuration is really a PITA, as the ASDM also doesn't display them correctly. I really hope cisco will implement in- and outgoing vpn-filter as it's possible on the IOS-router.

Highlighted
Beginner

Re: VPN Filter for Hairpin VPNs

Karsten, thanks for the post.

Jeff

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here