Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
3
Replies

ASA VPN Filter and Service Groups

j44mistry
Level 1
Level 1

‎07-24-2014 08:10 AM

Hello,

 

I am using service groups to group together mixture of UDP and TCP ports.   When the service group is applied to the VPN filter via ASDM how do I know direction the service is being applied to ?   Is it remote or local or bi-directional ?

 

access-list TEST-Filter extended permit object-group Web-Ports object-group Remote-Web-Servers object-group Local-Users.

 

I want the Filter to allow only the Local-Users group to access Remote Web Servers on http and https only.

 

 

 

Labels:
0 Helpful
3 Replies 3

Walter Astori
Level 1
Level 1

‎07-31-2014 08:04 AM

If you want the filter on the VPN you must write ACL as this :

 

access-list TEST-Filter extended permit object-group Local-Users object-group Remote-Web-Servers object-group Web-Ports

 

So you can filter Local-Users range port 1024 to 65535 to Remote-Web-Servers port 80 and 443

0 Helpful

j44mistry
Level 1
Level 1
In response to Walter Astori

‎07-31-2014 10:48 AM

 

 

I thought the Remote-Web-Servers always has to be the Source address on a VPN Filter rule ?

 

 

I have another question :-

 

How do you make services work in both directions on vpn filter ?

For example to allow telnet to work in both directions I configured rule like this :-

access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0 eq 23

However the above does not work, I had to configure rules like this make it work:-

access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23
access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23. 192.168.1.0 255.255.255.0 


What is the purpose of the rule if it does not work Bi-directional  and what cases do you use it ?

 

 

 

0 Helpful

Walter Astori
Level 1
Level 1
In response to j44mistry

‎08-01-2014 12:07 AM

i think that if you want filter the traffic on vpn LAN-to-LAN you must configure the filter as you told before :

 

access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23
access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23. 192.168.1.0 255.255.255.0 

where :

10.0.0.0 255.255.255.0 is the address of the destination VPN (remote address)
192.168.1.0 255.255.255.0 is the address of the source VPN (your local address)
 

0 Helpful
Customers Also Viewed These Support Documents