08-10-2011 01:25 PM
Dear All
I was configure IPSEC vpn on ASA5540 and i have problem with port blocked. I am unable to block server ports to remote users. See below configuration. I need to configure vpn filter list can any one help me to configure vpn filter list.
access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
group-policy portal internal
group-policy portal attributes
dns-server value 10.1.10.33 10.1.10.34
split-tunnel-policy tunnelspecified
split-tunnel-network-list value portal
default-domain value abc.com
split-dns value abc.com
address-pools value vpnpool
tunnel-group portal type remote-access
tunnel-group portal general-attributes
address-pool vpnpool
authentication-server-group ACS
default-group-policy portal
tunnel-group portal ipsec-attributes
pre-shared-key *&******
I need to block this access-list and open only port 53 dns
access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
I write this access-list but it will not work and its open all ports.
access-list portal extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0, but this access-list will not work and its open all ports like remote desktop, ftp, icmp, etc.
any body can help me plz.
anybody can help me how to used vpn filter list to block port or protocol based.
08-10-2011 01:42 PM
The below access-list should only permnit DNS:
access-list portal permit udp host 10.1.yyy.33 eq domain 192.168.20.0 255.255.255.0
access-list portal permit tcp host 10.1.yyy.33 eq domain 192.168.20.0 255.255.255.0
Note:
The DNS uses TCP and UDP port 53 for both Domain name and Zone Transfer.
Regards,
Mohamed
08-10-2011 01:46 PM
Yes i now but in ASA 5540 (8.2) version this access-list is not working. If i used this access list to open only DNS and its open all ports. I need to used vpn filter for port or protocol based restriction for remote vpn users.
regards,
syed
08-10-2011 02:00 PM
I am not sure about version 8.2,
But if it the case, you may have vpn-filter value configured on the group-policy and refer this accesslist to it.
The VPN-FILTER would always require an ACL refer to it.
check below link, but this link states that the software version is for (8.1).
Regards,
Mohamed
08-11-2011 10:14 AM
can you help me how to used vpn filter list. this example i was seen but unable to work with my configuration.
regards,
08-24-2011 01:44 PM
Hi,
You can have the split tunnel ACL named as portal and configured as below:
access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
You can configure a vpn-filter ACL like below:
access-list VPNF extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0
and then apply this VPNF access-list under the group-policy "portal" using the command vpn-filter value VPNF. Let me know if this helps.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide