cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
14663
Views
6
Helpful
15
Replies

How do I block traffic on a Site to Site VPN

mcinroywood10
Level 1
Level 1

I have setup a Site-to-Site VPN using the Wizard on an

ASA 5510, and that works.

However I would like to restrict the traffic to http only.

I tried changing the ACL entry which allows ip traffic, to only allow http traffic, but that appears to block all traffic, and results in an entry in the Log:

Inbound TCP connection denied from X to Y/80 flags SYN on interface Inbound.

I did manage to block pings by entering an ACL rule to specifically deny icmp, but I'd like to deny everything except http.

Any advice on how to achieve this appreciated.

William.

2 Accepted Solutions

Accepted Solutions

Hi,

Guess this is what you are looking for. Look at the Bidirectional VPN filter config section.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

View solution in original post

No that would be wrong again. As I mentioned previously the access-list should look like:

access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0

The www port on your local subnet is not required as that would be a random port

View solution in original post

15 Replies 15

Hi,

Since IPsec is defined by IP ACLs, all IP traffic is permitted by default through the tunnel.

The recommended way to filter traffic is to create another ACL and apply it to a vpn-filter.

Check how is done:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/vpngrp.html

(search vpn-filter)

Hope it helps.


Federico.

Federico,

Thanks for the speedy response.

The ACLs I was refering to are indeed a vpn-filter but it seems to need a ACE filter to "permit ip" which effectively allows all traffic that is not explicitly denied.

Is there a way to Deny ALL traffic except http for example, or am I missing something ?

William

Hi,

Guess this is what you are looking for. Look at the Bidirectional VPN filter config section.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

I would have thought the Bi-Directional VPN section was the answer but it doesn't seem to work (for me).

As in the first message.

When I setup the vpn-filter ACL (Arrow_Deny) to include the:

     access-list Arrow_Deny extended permit ip 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0

which permist all IP traffic.

The VPN works but it lets everything through, so...

If I change it (using the GUI) to allow http instead of ip so the line becomes:

     access-list Arrow_Deny extended permit tcp 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0 eq www

The log viewer shows the next attepmt to start a browser to the remote site is rejected:

     Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN  on interface Inside

What am I doing wrong ?

Or is there a problem with the approach ?

William

As per the doc

When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

access-list   ip  

Is it configured this way on your end too? Remote subnet should be in the source address of the acl.

You were quite correct, however I had tried it both ways round as it did confuse me.

So with the ACL as:

     access-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www

and the result is exactly the same:

  Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN  on interface Inside

William

Is MyRemoteSite the ip subnet for you remote site?

And also 10.0.0.6 will not match in the 10.0.1.0 255.255.255.0 subnet right. Am not sure what direction the traffic is getting blocked.Seems like on the inside interface when you are initiating the traffic to 10.0.0.6 on port 80. Is 10.0.0.6 the remote host?

Can you run a packet tracer too and see where is it blocked?


Yes MyRemoteSite is 10.0.0.0 / 255.255.255.0 (I have actually changed the name to Arrow now while trying different setups.)

The MyPCName is a PC on the 10.0.1.x LAN which happens to be named for another ACL rule elsewhere.

The remote web server is at 10.0.0.6 on the remote end of the VPN.

Yes. The error message implies it is on the inside interface.

How do I run a packet trace for web traffic on port 80, is that similar to a tracert ?

From my simplistic viewpoint - When I use the vpn filter to allow "ip" it all works, but when I change that to only allow "http" it fails, so I suspect the fault is in the applying of the http filter.

So MyPCName (10.0.1.x) is browsing over the VPN to a remote PC web server at 10.0.0.6.

When the allow "ip" is used I can browse to the web site, and ping in each direction, and probably do far more.

when "http" only is allowed - it seems nothing gets through.

Ultimately I want to allow browsing to the web server but don't want any other traffic to go in either direction.

Thanks for your assistance.

In that case your acl acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www is wrong.

Change it to acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 eq www 10.0.1.0 255.255.255.0

Took me a bit of searching to find how to do that in the ADSM GUI and it ended up as::

     access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0 eq www

which I assume is meant to allow www in both directions, but it made no difference - same error.

You shouldn't have www as the source port as well. The source port should be any since it is randomly generated.

No that would be wrong again. As I mentioned previously the access-list should look like:

access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0

The www port on your local subnet is not required as that would be a random port

Thanks for your patience.

That looks like it is doing exactly as we want now

William

Not sure if this thread is still open...but if you have the time your expertise would be apreciated.

I am now looking to do virtually the same for another site to site VPN, however this time I want the local site to hide behine a single NAT.

What would I need to change to achieve this  ?