Federico,

Thanks for the speedy response.

The ACLs I was refering to are indeed a vpn-filter but it seems to need a ACE filter to "permit ip" which effectively allows all traffic that is not explicitly denied.

Is there a way to Deny ALL traffic except http for example, or am I missing something ?

William

I would have thought the Bi-Directional VPN section was the answer but it doesn't seem to work (for me).

As in the first message.

When I setup the vpn-filter ACL (Arrow_Deny) to include the:

     access-list Arrow_Deny extended permit ip 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0

which permist all IP traffic.

The VPN works but it lets everything through, so...

If I change it (using the GUI) to allow http instead of ip so the line becomes:

     access-list Arrow_Deny extended permit tcp 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0 eq www

The log viewer shows the next attepmt to start a browser to the remote site is rejected:

     Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN  on interface Inside

What am I doing wrong ?

Or is there a problem with the approach ?

William

As per the doc

When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

access-list   ip  

Is it configured this way on your end too? Remote subnet should be in the source address of the acl.

You were quite correct, however I had tried it both ways round as it did confuse me.

So with the ACL as:

     access-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www

and the result is exactly the same:

  Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN  on interface Inside

William

Is MyRemoteSite the ip subnet for you remote site?

And also 10.0.0.6 will not match in the 10.0.1.0 255.255.255.0 subnet right. Am not sure what direction the traffic is getting blocked.Seems like on the inside interface when you are initiating the traffic to 10.0.0.6 on port 80. Is 10.0.0.6 the remote host?

Can you run a packet tracer too and see where is it blocked?

Yes MyRemoteSite is 10.0.0.0 / 255.255.255.0 (I have actually changed the name to Arrow now while trying different setups.)

The MyPCName is a PC on the 10.0.1.x LAN which happens to be named for another ACL rule elsewhere.

The remote web server is at 10.0.0.6 on the remote end of the VPN.

Yes. The error message implies it is on the inside interface.

How do I run a packet trace for web traffic on port 80, is that similar to a tracert ?

From my simplistic viewpoint - When I use the vpn filter to allow "ip" it all works, but when I change that to only allow "http" it fails, so I suspect the fault is in the applying of the http filter.

So MyPCName (10.0.1.x) is browsing over the VPN to a remote PC web server at 10.0.0.6.

When the allow "ip" is used I can browse to the web site, and ping in each direction, and probably do far more.

when "http" only is allowed - it seems nothing gets through.

Ultimately I want to allow browsing to the web server but don't want any other traffic to go in either direction.

Thanks for your assistance.

In that case your acl acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www is wrong.

Change it to acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 eq www 10.0.1.0 255.255.255.0

Took me a bit of searching to find how to do that in the ADSM GUI and it ended up as::

     access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0 eq www

which I assume is meant to allow www in both directions, but it made no difference - same error.

You shouldn't have www as the source port as well. The source port should be any since it is randomly generated.

Thanks for your patience.

That looks like it is doing exactly as we want now

William

Not sure if this thread is still open...but if you have the time your expertise would be apreciated.

I am now looking to do virtually the same for another site to site VPN, however this time I want the local site to hide behine a single NAT.

What would I need to change to achieve this  ?