07-28-2015 10:29 AM
We have a pair of ASA 5545-X firewalls as our Prod ASA. The prod ASA has a global ACL and an ACL for EIGRP advertisements. In addition to that we have a VPN Filter ACL and an interesting traffic matching ACL. It seems the ASA matches the global ACL first and then gets to the interesting traffic ACL.
We built an IPSec tunnel from our prod ASA to a company that does Internet proxy. The interesting traffic for this was 10.10.10.0/24 source to any destination on ports 80,443.
We found out this does not work without a global ACL entry that permits 10.10.10.0/24 to any.
Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?
07-28-2015 11:07 AM
Hi Devavrat ,
You can use IP based access-list to allow the traffic through the tunnel and restrict the further communication via VPN filters. These filters assist with port based restriction for through the tunnel traffic.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-29-2015 08:16 AM
Thank you Karsten and Dinesh. I am using a VPN filter and have that applied to my group-policy too. I am not sure how to work around the global ACL. I also noticed I need to move my nat statements below the object NATs.
07-28-2015 11:41 PM
>Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: