Re: asymmetric access control in site to site vpn - Page 2

simon.law · ‎06-29-2010

Hi,

I'm trying to set up a site to site VPN between my two ASA 5510 ver 8.3. Both site A and site B can access each other without any problem. Is it possible to configure the site A firewall so that site A can fully access site B but site B can only access a subset of traffic to site A?

I have tried the followings at site A but it wouldn't stop the traffic from site B:

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

Thanks,

Simon

Gaston Bougie · ‎07-04-2010

Hi Simon,

I think Andrew pointed you in the right direction, but you need the "no" statement before "sysopt connection permit-vpn".

This stops all vpn traffic unless you specify an access-list.

Regards,

Gaston Bougie

simon.law · ‎07-04-2010

Hi Gaston,

I did get it to work using "no sysopt connection permit-vpn" but the acl needs to be applied to the outside interface. I feel so uncomfortable allowing access from the outside interface and I am looking for an alternate solution.

Thanks,

Simon

andrew.prince · ‎07-05-2010

I have checekd your config - and you are not filtering or blocking any traffic from the VPN to the LAN.

Do you want to block VPN traffic from the TrustPoint1 VPN?

simon.law · ‎07-05-2010

Hi Andrew,

Yes, I would like to block VPN traffic from other site to the LAN. Can you please let me know how I can do it?

Thanks,

Simon

andrew.prince · ‎07-05-2010

Well considering it's an "inside" interface I would do something like:-

access-list inside-out deny tcp > <> eq <>

access-list inside-out deny udp > <> eq <>

access-list inside-out permit ip any any

access-group inside-out out interface inside

Restrict what you don't want them to do - then permit everything else. Remember this is placed on the "outbound" on the interface, so you do need the permit IP any any, otherwise nothing else will be allowed onto the LAN!

HTH>

simon.law · ‎07-05-2010

Hi Andrew,

I just tried the followings but it wouldn't stop the traffic:

access-list ktm_access_out deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out permit ip any any
access-group ktm_access_out out interface ktm

Actually, running-config shows them as

access-list ktm_access_out extended deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out extended permit ip any any

access-group ktm_access_out out interface ktm

The acl is not triggered at all according to the log.

Thanks,

Simon

andrew.prince · ‎07-05-2010

Try removing the objects in the acl and use specific IP subnets using the correcty notation.

simon.law · ‎07-05-2010

Hi Andrew,

I tried the followings but it still doesn't work.

access-list ktm_access_out deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-group ktm_access_out out interface ktm

When I run show running-config, they became

access-list ktm_access_out extended deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out extended permit ip any any
access-group ktm_access_out out interface ktm

Mine is an ASA 5510 at ver 8.31.

Thanks,

Simon