Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
6
Replies

How to secure VPN Tunnel

Go to solution
Amardeep Kumar
Level 1
Level 1

‎11-29-2011 06:39 AM

Hello ,

I have setup a VPN tunnel between ASA and PIX . I want to implement security on ASA or PIX so that some specfic IP from Remote end can access the tunnel resources. is it possible to block extra IPs ?.

Thanks

Amardeep

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mopaul
Cisco Employee
Cisco Employee
In response to Amardeep Kumar

‎12-11-2011 02:58 AM

Hi Amardeep,

Using sysopt connection permit-ipsec (or permit-vpn) ASA/PIX does bypass any access-lists applied to interfaces, for traffic being sent across the IPSEC tunnel. Otherwise, if PIXFIREWALL had an access-list applied for incoming traffic on its outside interface, would be dropped unless explicitly permitted.

On your first question, i see that you already had a vpn tunnel set up between ASA and PIX. If tunnel was UP while you configured the vpn-filter command. If that's right, then you need to reset the tunnel to activate the vpn-filter meaning clear the tunnel and bring it back up.

Also, you don't really need to go for vpn-filter unless you specifically want to restrict the traffic on L4 or port-based traffic. All you can do is just allow specific ip addresses in the crypto vpn access rules.

Regards,

Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ajay chauhan
Level 7
Level 7

‎11-29-2011 08:54 AM

Please read this link you can implement VPN-Filter .

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Thanks

Ajay

0 Helpful

Go to solution
Amardeep Kumar
Level 1
Level 1
In response to ajay chauhan

‎12-10-2011 04:37 AM

HI Ajay,

I have tried Your link and Configured the Vpn Filter. But still I am not able to restrict remote users to come in. I have 4 site to site tunnel on ASa 5505. I just want to configure VPN filter on One.

what is the command mean sysopt connection permit-ipsec , sysopt connection permit-vpn

Thanks

Amardeep Rana

0 Helpful

Go to solution
mopaul
Cisco Employee
Cisco Employee
In response to Amardeep Kumar

‎12-11-2011 02:58 AM

Hi Amardeep,

Using sysopt connection permit-ipsec (or permit-vpn) ASA/PIX does bypass any access-lists applied to interfaces, for traffic being sent across the IPSEC tunnel. Otherwise, if PIXFIREWALL had an access-list applied for incoming traffic on its outside interface, would be dropped unless explicitly permitted.

On your first question, i see that you already had a vpn tunnel set up between ASA and PIX. If tunnel was UP while you configured the vpn-filter command. If that's right, then you need to reset the tunnel to activate the vpn-filter meaning clear the tunnel and bring it back up.

Also, you don't really need to go for vpn-filter unless you specifically want to restrict the traffic on L4 or port-based traffic. All you can do is just allow specific ip addresses in the crypto vpn access rules.

Regards,

Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

Go to solution
Amardeep Kumar
Level 1
Level 1
In response to mopaul

‎12-12-2011 01:03 AM

HI Mohit,

I have ran the command - clear ipsec sa peer xx.xx.xx.xx. to clear the tunnel

but what command to use to bring tunnel up Or I need to recreate it from scrtch. ?

I have recreated the tunnel but still not able to allow vpn filter.

thanks

Amardeep

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Amardeep Kumar

‎12-12-2011 01:07 AM

Hi,

reconfig for tunnel was not required just reset was required.

you can post your configuration someone can for sure take a look on that and sugestion missing part.

Thanks

Ajay

0 Helpful

Go to solution
mopaul
Cisco Employee
Cisco Employee
In response to Amardeep Kumar

‎12-15-2011 06:36 AM

Hi Amardeep,

to bring up tunnel - run the interesting traffic, and tunnel will come up on matching the crypto acl.

i wanted to put this in my last reply but assumed you might have configured vpn-filter acl correctly. Just to confirm that you have created vpn-filter acl in the inbound direction meaning for traffic coming from outside to inside and not same as crypto/vpn acl which is from inside to outside.

Once the tunnel is up, run a continous ping across the tunnel and please share the o/p for "show vpn-sessiondb detail l2l".

Regards,

Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful
Customers Also Viewed These Support Documents