cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1835
Views
5
Helpful
9
Replies

ASA site-to-site acl issue

asmlicense
Level 1
Level 1

Good day, community!

 

I have an issue with ACL for site-to-site VPN on cisco ASA 5525 9.5.(1).

We have remote partner and we have to share some subnets with them. Some of these subnets should be accessible only via dedicated ports.

At first, we had  physical connection. Cable from their office came to our Core switch, we have created vlan for them and assigned such kind of ACL inbound:

ip access-list extended TEST
    permit ip any host 10.0.100.9
    permit ip any host 10.0.110.17
    permit tcp any host 10.0.110.11 eq 1000
    permit tcp any host 10.0.100.10 eq 1100
    permit ip any host 10.0.120.115
    permit tcp any host 10.0.100.183 eq 1200
    permit tcp any host 10.0.100.222 eq 1300

 

Yesterday we configured site-to-site between ASA and Fortinet firewall.

Tunnel is up, everything is working, but I can add hosts in ACL only without port. As I add any port to ACL, it begin to reject packets. Ping is coming from partner side, but isn't going back. This is our ACL on ASA:

object network Local_1
  host 10.0.100.9
object network Local_2
 host 10.0.100.10
object network Local_3
 host 10.0.100.183
object network Local_4
 host 10.0.110.11
object network Local_5
 host 10.0.110.17
object network Local_6
 host 10.0.100.222
object network Local_7
 host 10.0.120.115

object network REMOTE_1
 subnet 10.10.10.0 255.255.255.0
object network REMOTE_2
 subnet 10.11.11.0 255.255.255.0
object network REMOTE_3
 subnet 10.12.0.0 255.224.0.0
object-group network REMOTE
  network-object object REMOTE_2
  network-object object REMOTE_3

access-list REMOTE-ACL extended permit ip object Local_1 object-group REMOTE  
access-list REMOTE-ACL extended permit ip object Local_5 object-group REMOTE
access-list REMOTE-ACL extended permit ip object Local_7 object-group REMOTE

access-list REMOTE-ACL extended permit tcp object Local_2 object-group REMOTE eq 1100
access-list REMOTE-ACL extended permit tcp object Local_3 object-group REMOTE eq 1200
access-list REMOTE-ACL extended permit tcp object Local_4 object-group REMOTE eq 1000
access-list REMOTE-ACL extended permit tcp object Local_6 object-group REMOTE eq 1300

access-list REMOTE-ACL extended permit ip object Local_5 object REMOTE_1
access-list REMOTE-ACL extended permit tcp object Local_4 object REMOTE_1 eq 1000

________________________________________________________________________

I removed port 1000 from rule: access-list REMOTE-ACL extended permit tcp object Local_4 object REMOTE_1 eq 1000

and partner side was able to ping and access everything. I added port again, and telnet didn't worked to this port. On server side there is no restriction.

What can be an issue?

Thanks in advance!

9 Replies 9

site to site vpn for ASA if need port filtering you need to give a command sysopt connection permit-vpn, here a good link

https://community.cisco.com/t5/vpn-and-anyconnect/sysopt-connection-permit-vpn/td-p/1479771

 

=========================================================================

if you want a port level filter on ASA with access-list than you have to issue a command on ASA

!

no sysopt connection permit-vpn

!

access-list outside_acl extended permit tcp host 10.x.x.x host 192.x.x0.x0 eq 23

!

 

please do not forget to rate.

Hi!
Just a quick question, I have these commands on my ASA and dozens of RA and Site-to-Site vpns:

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

 

 

WIll 'no sysopt connection permit-vpn' command affect to these connections or there is no issue to use it?

Thanks in advance.

oh in that case do not use this command 'no sysopt connection permit-vpn'  this command will terminate/tear down all the site-to-site vpns unless you have a port filter on each single ACL for crypto-map binded to site-to-site VPN.

 

I was under the impression you only have this single VPN running on ASA box.

 

for time being let the problematic vpn let in without port filter. You using firepower SFR on ASA? if so you can narrow the port control from the sfr.

please do not forget to rate.

No, we have many site-to-site and remote access vpns.
We have acl and etc for each of them, but port filtering will be used first for this VPN.

No, I don't have Firepower, we use Palo Alto firewall, but it's in virtual wire mode, so I can't affect to any VPN connections with it.

Mayble I can use some kind of VPN filter, or config additional ACL on core switch on the same vlan, which goes to our production subnets to allow traffic from remote network to specified ports?

Anyway, thank you for your help! I'll try to find some way to fix it.
Now it's working without any port filtering.

No, we have many site-to-site and remote access vpns.  

 

Than stay away from the command i gave you. as said earlier it will impact the production network

 

We have acl and etc for each of them, but port filtering will be used first for this VPN.

One suggestion, You need to plan it put change request/ do a packet capture and find out what port are in use/coming in your vpn network than lock them down to port filter on ASA with the earlier command.

 

No, I don't have Firepower, we use Palo Alto firewall, but it's in virtual wire mode, so I can't affect to any VPN connections with it.

you can lock down the port on Palo Alto as well this is some thing you can look.

 

Mayble I can use some kind of VPN filter, or config additional ACL on core switch on the same vlan, which goes to our production subnets to allow traffic from remote network to specified ports?

 

yes you can do that one too. good idea.

 

 

 

 

 

Kindly please do not forget to rate if i am helpful to you

 

please do not forget to rate.

One suggestion, You need to plan it put change request/ do a packet capture and find out what port are in use/coming in your vpn network than lock them down to port filter on ASA with the earlier command.

 

Let me clarify one thing. Traffic will come from remote network and have to access server in our local network on specified ports. So, I don't need to filter incoming ports, but to restrict traffic incoming from remote network to ports, which I dedicated in config above.

 

I think that this config isn't right. I tried these variations:

access-list REMOTE-ACL extended permit tcp object Local_4 object REMOTE_1 eq 1000

access-list REMOTE-ACL extended permit tcp object Local_4 eq 1000 object REMOTE_1

access-list REMOTE-ACL extended permit tcp object REMOTE_1 object Local_4 eq 1000

 

But they didn't work.

 

 

Hi it should be in this order

 

 

 

The current setup/in normal network in site to site vpn, port filter in not employed. By default, the ASA allow all inbound connection from the remote vpn network to the inside network without an ACL explicitly allowing them. What that means is that even if the inbound ACL on the outside interface  denies the decrypted traffic to pass through, the ASA still allow it.

This default setup can be changed if you want the outside interface ACL to inspect the IPsec protected traffic.

  1. Define an inbound ACE on the ASA outside interface ACL
  2. Disable the vpn sysopt feature that allows new inbound connection initiated from over the vpn to bypass all access list checks.

 =============================================

object network Local_4
 host 10.0.110.11

!

object network REMOTE_1
 subnet 10.10.10.0 255.255.255.0

!

Nat (inside,outside) source static Local_4 Local_4 destin REMOTE_1 REMOTE_1 no proxy-arp lookup

!

access-list REMOTE-ACL extended permit ip object Local_4 object REMOTE_1

!

Crypto map CMAP 1 match address REMOTE-ACL

 

 

 

---------------------------------------

 

CHANGED TO WITH

no sysopt connection permit-vpn

access-group REMOTE-ACL in interface outside

access-list REMOTE-ACL exten permit tcp host 10.0.110.11 10.10.10.0 255.255.255.0 eq 1000

 

please do not forget to rate.

Hi.

For the last lines you suggested, I have this configured right now, which maps all crypto maps to outside interface:

crypto map CMAP interface Outside

 

 

I think that this line will have huge impact on working production, so I should change all working config. I'll try to find another way, I think:

no sysopt connection permit-vpn

access-group REMOTE-ACL in interface outside

I think that this line will have huge impact on working production, so I should change all working config. I'll try to find another way, I think:

 

 

yes. if your local network is in your  Next GN firewall (with application layer 7) than you can lock them down to your interested ports. and add the remote address to bind them in order to open the certain ports.

 

 

 

 

 

 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: