11-28-2011 12:15 AM
Hi all,
I am Network admin at a organisation in Pune. We have site-to-site VPN with another organisation in Amsterdam.
Pune Amsterdam
ASA 5510(ASDM 6.3 ASA 8.3) <------------> ASA 5510(ASDM 6.2 ASA 8.2)
There is full (ip to ip) connectivity between two sites.
There have been numerous security attacks on the servers in Amsterdam. If the AMS network is compromised it could harm my local network.
So I want to apply Access-rules to the VPN such that only Pune site will be having full access to AMS but AMS will not be able to access resources at the Pune location.
I do not want to change the 'Bidirectional' connection type of the VPN.Also I do not want any config on AMS side.
I will appreciate all the help I get.
Thank you.
11-28-2011 03:03 AM
Hi,
you can do it two ways -
1) Stop traffic at inside interface for pune permit only whatever is required.
2) Put VPN filter ACL at AMS to stop unwanted traffic,
Thanks
Ajay
11-28-2011 06:02 PM
VPN filters won't really work as expected because you can't define a direction when source and destination ports aren't defined. For example:
access-list vpn-filter permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
or
access-list vpn-filter permit tcp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
These filter rules, when applied to a group policy for your tunnel, will become bidirectional. You can't specify which side is allowed to initiate a connection.
I would suggest (if you don't have a lot of other tunnels that will be affected) that you remove 'sysopt connection permit-vpn' and begin filtering on your outside interface to prevent inbound connections from the destination while allowing outbound connectivity from your internal interface. Given that your outbound connections are TCP, the return traffic will be allowed since it's already in the fast path.
11-28-2011 07:07 PM
Thanks guys.
1. There are other VPNs on the device so cannot remove 'sysopt connection permit-vpn'.
2. Also, Cannot filter on inside interface as I have around 20 subinterfaces inside.
3. Let's say,AMS=192.168.1.0/24 and PUNE=172.16.1.0/24
If I configure access-list,
access-list vpn-filter deny ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
It will block traffic from 172.16.1.0 -> 192.168.1.0,which is not desirable.
4. It is also not feasible to filter at the port level.
I am really thankful for all the replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide