04-07-2013 04:40 PM
I have a working L2L between two locations. Location A and Location B.
Location A: 172.16.16.0/24
Location B: 192.168.0.0/24
I would like to block anything inbound to Location A from Location B that isn't initiated from Location A. The block should be done on the ASA5505 at Location A. Location B uses an ISR G2 router.
i.e. Location A can start an SSH session to a server in Location B
Location B cannot start an SSH session to a server in Location A
I tried using a VPN filter on the ASA5505 but it isn't stateful, I cannot pass any traffic when using it.
Config on my ASA:
access-list vpn-traffic extended permit ip 172.16.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list block-vpn-to-local extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list block-vpn-to-local extended permit ip any any
crypto map vpn 100 match address vpn-traffic
crypto map vpn 100 set peer locationB-public-IP
crypto map vpn 100 set transform-set esp-aes256-sha
crypto map vpn interface outside
group-policy block-vpn-to-local-policy internal
group-policy block-vpn-to-local-policy attributes
vpn-filter value block-vpn-to-local
vpn-tunnel-protocol IPSec
tunnel-group locationB-public-IP type ipsec-l2l
tunnel-group locationB-public-IP general-attributes
default-group-policy block-vpn-to-local-policy
tunnel-group locationB-public-IP ipsec-attributes
pre-shared-key *****
I also have an AnyConnect VPN setup for the ASA5505 and it is running 8.2(5). Any tips?
Solved! Go to Solution.
04-07-2013 11:43 PM
Hi,
Unless you already have a high amount of VPN connections in use theres also another option other than the VPN Filter ACL.
You can globally change the setting "sysopt connection permit-vpn" (default setting is that this is enabled)
If you change this setting to "no sysopt connection permit-vpn" every connection coming from remote site will require an ACL rule on the interface ACL which terminates the VPN. And that is usually the "outside" interface.
I find its an easy and a lot clearer way of building ACL rules for the VPN connections also although the "outside" ACL would now include both VPN and Internet traffic related rules. Still it beats the use of VPN Filter ACL if you ask me.
The downside trying to enable this later on is the fact that if you didnt have any restrections between VPN and LAN connections, you would now have to determine what needs to be opened before you change the global settings so that connections dont stop working.
Here is the section of the ASA 8.2 Command Reference for the command/setting I am talking about
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364
If you want to go with VPN Filter ACLs then follow the earlier posts instructions while building ACL rules.
- Jouni
04-07-2013 09:58 PM
Hi,
the acl for VPN filter works a bit different than normal access-list. If you want to accept ssh from location A->B
access-list vpn-traffic extended permit tcp 192.168.0.0 255.255.255.0 eq ssh 172.16.16.0 255.255.255.0
and deny from B->A:
access-list vpn-traffic extended deny tcp 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0 eq ssh
You should always put destination LAN IP/subnet first and then source LAN IP/subnet, you change only port position
regards
Hubert
04-08-2013 05:29 AM
Thanks for the info Hubert. I was looking more at blocking all IP traffic incoming from location B though and only used SSH as an example to show that I wanted outbound connections to work (stateful).
I did learn a lot about the filtering options from your post though and I thank you for that.
04-07-2013 11:43 PM
Hi,
Unless you already have a high amount of VPN connections in use theres also another option other than the VPN Filter ACL.
You can globally change the setting "sysopt connection permit-vpn" (default setting is that this is enabled)
If you change this setting to "no sysopt connection permit-vpn" every connection coming from remote site will require an ACL rule on the interface ACL which terminates the VPN. And that is usually the "outside" interface.
I find its an easy and a lot clearer way of building ACL rules for the VPN connections also although the "outside" ACL would now include both VPN and Internet traffic related rules. Still it beats the use of VPN Filter ACL if you ask me.
The downside trying to enable this later on is the fact that if you didnt have any restrections between VPN and LAN connections, you would now have to determine what needs to be opened before you change the global settings so that connections dont stop working.
Here is the section of the ASA 8.2 Command Reference for the command/setting I am talking about
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364
If you want to go with VPN Filter ACLs then follow the earlier posts instructions while building ACL rules.
- Jouni
04-08-2013 05:30 AM
JoiniForss,
This worked perfectly. Thanks for the help!
08-04-2013 01:13 PM
This worked for me to! Thank you! I was looking to have the site to site setup for the ability to do an encrypted offiste backup for a couple of customers and to support their from my internal network. I wanted to be able to acccess their entire network, but limit their internal network to a single IP address on my network which is my NAS I am using for their remote backups. This worked like a champ!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide