04-23-2008 07:50 AM - edited 02-21-2020 03:41 PM
I'm running 8.03 code and have a simple L2L VPN configured between two sites. This is actually a test config in my lab, but I'm having trouble restricting traffic using an inside ACL.
I used the VPN Wizard to do the initial config and then added an inside (out)ACL to restrict traffic once the tunnel comes up.
The crypto map is as follows:
access-list outside_1_cryptomap extended permit ip 164.72.1.128 255.255.255.240 host SunMed_pc
Then I have an ACL to limit traffic to pinging GHC_laptop, telnet to GHC_switch and deny everything else:
access-list inside_access_out extended permit icmp host SunMed_pc host GHC_Laptop
access-list inside_access_out extended permit tcp host SunMed_pc host GHC_switch eq telnet
access-list inside_access_out extended deny ip any any
However SunMed_pc can also ping to GHC_switch and can FTP to GHC_laptop even though the 3rd entry to deny all hit counter increases when I do that.
I've attached a Word document that has the entire config along with a screen shot showing the ACL and the hits.
Do I have the ACL set up incorrectly or is the ACL in fact not working as expected?
Solved! Go to Solution.
04-23-2008 08:11 AM
You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.
If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.
There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559
04-23-2008 07:56 AM
As long as you have "sysopt connection permit-vpn", all ipsec traffic will bypass interface acl's. If you wish to filter ipsec traffic with interface acl's, then you have to enter...
no sysopt connection permit-vpn
In ASDM, this option is located at
Config -> site to site vpn -> advanced -> system options -> "enable inbound ipsec sessions to bypass interface access lists"
04-23-2008 08:05 AM
If I keep sysopt connection permit-vpn, is there no way to restrict traffic? I was told to keep all IP as interesting traffic as a best practice when building L2L VPNs, but I must be able to restrict traffic.
What would be the best config method then if I simply wanted SunMed_pc to telnet to GHC_switch?
Also this ASA-5540 will strictly be for L2L VPN connections and will not be used as a firewall in anyway, and I will eventually have dozens of VPNs configured on it. With that in mind is it best to use 'sysopt connection permit-vpn'?
04-23-2008 08:11 AM
You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.
If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.
There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide