ā12-08-2010 10:17 AM
I have setup a Site-to-Site VPN using the Wizard on an
ASA 5510, and that works.
However I would like to restrict the traffic to http only.
I tried changing the ACL entry which allows ip traffic, to only allow http traffic, but that appears to block all traffic, and results in an entry in the Log:
Inbound TCP connection denied from X to Y/80 flags SYN on interface Inbound.
I did manage to block pings by entering an ACL rule to specifically deny icmp, but I'd like to deny everything except http.
Any advice on how to achieve this appreciated.
William.
Solved! Go to Solution.
ā12-08-2010 03:45 PM
Hi,
Guess this is what you are looking for. Look at the Bidirectional VPN filter config section.
ā12-10-2010 03:21 AM
No that would be wrong again. As I mentioned previously the access-list should look like:
access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0
The www port on your local subnet is not required as that would be a random port
ā12-08-2010 10:43 AM
Hi,
Since IPsec is defined by IP ACLs, all IP traffic is permitted by default through the tunnel.
The recommended way to filter traffic is to create another ACL and apply it to a vpn-filter.
Check how is done:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/vpngrp.html
(search vpn-filter)
Hope it helps.
Federico.
ā12-08-2010 03:09 PM
Federico,
Thanks for the speedy response.
The ACLs I was refering to are indeed a vpn-filter but it seems to need a ACE filter to "permit ip" which effectively allows all traffic that is not explicitly denied.
Is there a way to Deny ALL traffic except http for example, or am I missing something ?
William
ā12-08-2010 03:45 PM
Hi,
Guess this is what you are looking for. Look at the Bidirectional VPN filter config section.
ā12-09-2010 12:26 PM
I would have thought the Bi-Directional VPN section was the answer but it doesn't seem to work (for me).
As in the first message.
When I setup the vpn-filter ACL (Arrow_Deny) to include the:
access-list Arrow_Deny extended permit ip 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0
which permist all IP traffic.
The VPN works but it lets everything through, so...
If I change it (using the GUI) to allow http instead of ip so the line becomes:
access-list Arrow_Deny extended permit tcp 10.0.1.0 255.255.255.0 MyRemoteSite 255.255.255.0 eq www
The log viewer shows the next attepmt to start a browser to the remote site is rejected:
Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN on interface Inside
What am I doing wrong ?
Or is there a problem with the approach ?
William
ā12-09-2010 12:34 PM
As per the doc
When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.
access-listip
Is it configured this way on your end too? Remote subnet should be in the source address of the acl.
ā12-09-2010 01:49 PM
You were quite correct, however I had tried it both ways round as it did confuse me.
So with the ACL as:
access-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www
and the result is exactly the same:
Inbound TCP connection denied from MyPCName/54776 to 10.0.0.6/80 flags SYN on interface Inside
William
ā12-09-2010 02:03 PM
Is MyRemoteSite the ip subnet for you remote site?
And also 10.0.0.6 will not match in the 10.0.1.0 255.255.255.0 subnet right. Am not sure what direction the traffic is getting blocked.Seems like on the inside interface when you are initiating the traffic to 10.0.0.6 on port 80. Is 10.0.0.6 the remote host?
Can you run a packet tracer too and see where is it blocked?
ā12-09-2010 03:05 PM
Yes MyRemoteSite is 10.0.0.0 / 255.255.255.0 (I have actually changed the name to Arrow now while trying different setups.)
The MyPCName is a PC on the 10.0.1.x LAN which happens to be named for another ACL rule elsewhere.
The remote web server is at 10.0.0.6 on the remote end of the VPN.
Yes. The error message implies it is on the inside interface.
How do I run a packet trace for web traffic on port 80, is that similar to a tracert ?
From my simplistic viewpoint - When I use the vpn filter to allow "ip" it all works, but when I change that to only allow "http" it fails, so I suspect the fault is in the applying of the http filter.
So MyPCName (10.0.1.x) is browsing over the VPN to a remote PC web server at 10.0.0.6.
When the allow "ip" is used I can browse to the web site, and ping in each direction, and probably do far more.
when "http" only is allowed - it seems nothing gets through.
Ultimately I want to allow browsing to the web server but don't want any other traffic to go in either direction.
Thanks for your assistance.
ā12-09-2010 03:28 PM
In that case your acl acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 10.0.1.0 255.255.255.0 eq www is wrong.
Change it to acess-list Arrow_Deny extended permit tcp MyRemoteSite 255.255.255.0 eq www 10.0.1.0 255.255.255.0
ā12-10-2010 12:57 AM
Took me a bit of searching to find how to do that in the ADSM GUI and it ended up as::
access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0 eq www
which I assume is meant to allow www in both directions, but it made no difference - same error.
ā12-10-2010 02:59 AM
You shouldn't have www as the source port as well. The source port should be any since it is randomly generated.
ā12-10-2010 03:21 AM
No that would be wrong again. As I mentioned previously the access-list should look like:
access-list Arrow_Deny extended permit tcp Arrow 255.255.255.0 eq www 10.0.1.0 255.255.255.0
The www port on your local subnet is not required as that would be a random port
ā12-10-2010 06:21 AM
Thanks for your patience.
That looks like it is doing exactly as we want now
William
ā03-22-2011 06:03 AM
Not sure if this thread is still open...but if you have the time your expertise would be apreciated.
I am now looking to do virtually the same for another site to site VPN, however this time I want the local site to hide behine a single NAT.
What would I need to change to achieve this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide