cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
1
Helpful
4
Replies

ASA S2S VPN - Specific Port Tunneling

dermot ol
Level 1
Level 1

I've set up a S2S VPN on our perimeter ASA 5525x that tunnels traffic from certain source IPs going to any public IP, so far a pretty simply setup once all the public IP subnets had been defined in objects and then assigned to an object group, the VPN is up and working no problems.

The issue is that this sends all traffic from the source IPs going external over the VPN but I only want to tunnel http & https traffic, all other ports should traverse the ASA un-encrypted.

I did try to do this by modifying the crypto map ACL so it only included ports 80 & 443, then create a No NAT statement that only included ports 80 & 443, config below (80 & 443 in the nat statement are objects for the respective ports);

access-list outside_cryptomap extended permit tcp object-group INTERNAL_IPs object-group EXTERNAL_IPs eq 80
access-list outside_cryptomap extended permit tcp object-group INTERNAL_IPs object-group EXTERNAL_IPs eq 443
nat (inside,outside) source static INTERNAL_IPs INTERNAL_IPs destination static EXTERNAL_IPs EXTERNAL_IPs service 80 80 no-proxy-arp
nat (inside,outside) source static INTERNAL_IPs INTERNAL_IPs destination static EXTERNAL_IPs EXTERNAL_IPs service 443 443 no-proxy-arp 

Doing this seemed to cause the firewalls CPU to go through the roof and after a few SSH sessions hanging I eventually couldn't SSH back on to the device, I had to force a failover from the standby device (seems like the config above hadn't been sync'd to the standby unit) and then power cycle the original active device before it started responding again.

Thankfully there was no loss of end user services but as this is our production firewall a bit reluctant to try it again.

Just wondering if anyone has done what I'm trying to do and did you doing differently to how I tried it?

ASA's are on version 9.12(4)67 

Thanks

1 Accepted Solution

Accepted Solutions

I have idea but I dont know if it work or not 

Use vti instead of policy based VPN and then use pbr to direct traffic to vti

This way you can only direct http traffic via vti not all traffic 

MHM

View solution in original post

4 Replies 4

I have idea but I dont know if it work or not 

Use vti instead of policy based VPN and then use pbr to direct traffic to vti

This way you can only direct http traffic via vti not all traffic 

MHM

Thanks MHM, must admit I thought the ASAs didn't support PBR, I will see if the peer side supports VTI tunnels.

what is the other side of the tunnel ? VTI is generally referred as route based VPN (vs policy based vpn for crypto map) so you may want to check if other side supports route based vpn.

 

dermot ol
Level 1
Level 1

I haven't had chance to try this out yet but looking at BPR then this will defo do what I need, thanks again for your help.