Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15110
Views
6
Helpful
15
Replies

How do I block traffic on a Site to Site VPN

Go to solution
mcinroywood10
Level 1
Level 1

‎12-08-2010 10:17 AM

I have setup a Site-to-Site VPN using the Wizard on an

ASA 5510, and that works.

However I would like to restrict the traffic to http only.

I tried changing the ACL entry which allows ip traffic, to only allow http traffic, but that appears to block all traffic, and results in an entry in the Log:

Inbound TCP connection denied from X to Y/80 flags SYN on interface Inbound.

I did manage to block pings by entering an ACL rule to specifically deny icmp, but I'd like to deny everything except http.

Any advice on how to achieve this appreciated.

William.

Labels:
0 Helpful
15 Replies 15

Go to solution
Atri Basu
Cisco Employee
Cisco Employee

‎12-08-2010 04:45 PM

You could define the interesting traffic such that only HTTP traffic is encrypted. That is you can redefine the access-list that you use to define the traffic that should be encrypted to include only HTTP traffic. It would result in less overhead for your ASA than VPN-filters.

TO find the access-list that defines your interesting traffic, look for a command that looks something like this:

crypto map outside_map 20 match address outside_cryptomap_20

In the above command outside_cryptomap_20 is the name of the crypto map that defines the traffic that should be encrypted. You can modify this access-list to encrypt only HTTP traffic. Keep in mind whatever change you make on one side of the tunnel you will have to mirror on the other end of the tunnel as well.

Customers Also Viewed These Support Documents