Cisco Adaptive Security Appliance Software Version 8.2(4)

mrsystemengineer · ‎08-10-2011

Dear All

I was configure IPSEC vpn on ASA5540 and i have problem with port blocked. I am unable to block server ports to remote users. See below configuration. I need to configure vpn filter list can any one help me to configure vpn filter list.

access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0

group-policy portal internal

group-policy portal attributes

dns-server value 10.1.10.33 10.1.10.34

split-tunnel-policy tunnelspecified

split-tunnel-network-list value portal

default-domain value abc.com

split-dns value abc.com

address-pools value vpnpool

tunnel-group portal type remote-access

tunnel-group portal general-attributes

address-pool vpnpool

authentication-server-group ACS

default-group-policy portal

tunnel-group portal ipsec-attributes

pre-shared-key *&******

I need to block this access-list and open only port 53 dns

access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0

I write this access-list but it will not work and its open all ports.

access-list portal extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0, but this access-list will not work and its open all ports like remote desktop, ftp, icmp, etc.

any body can help me plz.

anybody can help me how to used vpn filter list to block port or protocol based.

Mohamed Sobair · ‎08-10-2011

The below access-list should only permnit DNS:

access-list portal permit udp host 10.1.yyy.33 eq domain 192.168.20.0 255.255.255.0

access-list portal permit tcp host 10.1.yyy.33 eq domain 192.168.20.0 255.255.255.0

Note:

The DNS uses TCP and UDP port 53 for both Domain name and Zone Transfer.

Regards,

Mohamed

mrsystemengineer · ‎08-10-2011

Yes i now but in ASA 5540 (8.2) version this access-list is not working. If i used this access list to open only DNS and its open all ports. I need to used vpn filter for port or protocol based restriction for remote vpn users.

regards,

syed

Mohamed Sobair · ‎08-10-2011

I am not sure about version 8.2,

But if it the case, you may have vpn-filter value configured on the group-policy and refer this accesslist to it.

The VPN-FILTER would always require an ACL refer to it.

check below link, but this link states that the software version is for (8.1).

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards,

Mohamed

mrsystemengineer · ‎08-11-2011

can you help me how to used vpn filter list. this example i was seen but unable to work with my configuration.

regards,

praprama · ‎08-24-2011

Hi,

You can have the split tunnel ACL named as portal and configured as below:

access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0

access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0

You can configure a vpn-filter ACL like below:

access-list VPNF extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0

and then apply this VPNF access-list under the group-policy "portal" using the command vpn-filter value VPNF. Let me know if this helps.

Regards,

Prapanch