01-15-2008 06:00 AM - edited 02-21-2020 03:28 PM
I have a site to site VPN (between two ASA's)which works just fine, however we want to have control on:
1) the ability for bring up the VPN tunnel if only one site initiates traffic. If that site does not initiate traffic the tunnel should not come up
2) the ability for one site to access resources from the other site but not vice versa.
Any ideas?
01-31-2008 08:47 AM
Posted this before, but maybe it didnt work out. Use the vpn-filter option to filter the traffic.
group-policy
vpn-filter value vpnfilter
access-list vpnfilter extended permit tcp
etc.
01-31-2008 11:52 AM
As i wrote above.The filter works.But you cannot access remote vpn subnet from the local subnet.
I keep receiving this error :
2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal
01-31-2008 01:52 PM
Sorry, there are a lot of posts to try to keep straight.
02-01-2008 01:57 AM
No problem, any new thoughts, solutions ?
02-01-2008 06:29 AM
Those are really your only 2 options. Has the other guy in this thread tried the vpn-filter? I have used it before on a l2l tunnel and worked ok.
02-01-2008 05:14 PM
I have tried vpn filter in L2L setup.
Although cisco claims that the filter works bidirectional it works only from the client side.The only thing that works biderectional is the icmp.
When i apply the vpn filter from my lan i cannot connect to the client side in any port.
This is the error i get every time i try to connect :
2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal
Where 172.16.10.0 is my lan and 192.168.1.0 is clients lan.
02-04-2008 06:07 AM
Well i think i have found the solution to filter client side on the asa not exactly as i would like to, but hey, it's a step.
Vpn filtering works in L2L,to see it working make sure that you don't have PFS enable ..........
Every rule that you create works bidirectional, remember that.
04-04-2008 02:46 AM
Iam joining the club!
What means Bidirectional? Does it mean
Remotesite can reply with ACKs? or Does its mean Remotesite can create SYNs when localsite is able, thats not a solution....
04-15-2008 06:13 AM
Hi guys, hope not too late to join the club :) Here are my thought:
1 vpn-filter
As Cisco said," If TCP/UDP ports are not used with the access list, both sides can access each other", so I wrote the followed vpn-filter access-list, which can control traffic from remote site but allow all traffic to remote
group-policy
vpn-filter value vpnfilter
access-list vpnfilter extended permit tcp
access-list vpnfilter extended permit udp
access-list vpnfilter extended deny tcp any any # deny tcp traffic from remote to local #
access-list vpnfilter extended deny udp any any # deny udp traffic from remote to local #
access-list vpnfilter extended permit ip
If you want to deny all traffic from remote but allow all to remote, you can use followed vpn-filter access-list OR the second method
access-list vpnfilter extended deny tcp any any
access-list vpnfilter extended deny udp any any
access-list vpnfilter extended permit ip
2 outbound access-list on inside interface
access-list inside_access_out deny ip
access-list inside_access_out permit ip any any
access-group inside_access_out inside out
All codes not been verified, anyone could test it , please post the result, thanks.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide