11-29-2011 06:39 AM
Hello ,
I have setup a VPN tunnel between ASA and PIX . I want to implement security on ASA or PIX so that some specfic IP from Remote end can access the tunnel resources. is it possible to block extra IPs ?.
Thanks
Amardeep
Solved! Go to Solution.
11-29-2011 08:54 AM
Please read this link you can implement VPN-Filter .
Thanks
Ajay
12-11-2011 02:58 AM
Hi Amardeep,
Using sysopt connection permit-ipsec (or permit-vpn) ASA/PIX does bypass any access-lists applied to interfaces, for traffic being sent across the IPSEC tunnel. Otherwise, if PIXFIREWALL had an access-list applied for incoming traffic on its outside interface, would be dropped unless explicitly permitted.
On your first question, i see that you already had a vpn tunnel set up between ASA and PIX. If tunnel was UP while you configured the vpn-filter command. If that's right, then you need to reset the tunnel to activate the vpn-filter meaning clear the tunnel and bring it back up.
Also, you don't really need to go for vpn-filter unless you specifically want to restrict the traffic on L4 or port-based traffic. All you can do is just allow specific ip addresses in the crypto vpn access rules.
Regards,
Mohit
11-29-2011 08:54 AM
Please read this link you can implement VPN-Filter .
Thanks
Ajay
12-10-2011 04:37 AM
HI Ajay,
I have tried Your link and Configured the Vpn Filter. But still I am not able to restrict remote users to come in. I have 4 site to site tunnel on ASa 5505. I just want to configure VPN filter on One.
what is the command mean sysopt connection permit-ipsec , sysopt connection permit-vpn
Thanks
Amardeep Rana
12-11-2011 02:58 AM
Hi Amardeep,
Using sysopt connection permit-ipsec (or permit-vpn) ASA/PIX does bypass any access-lists applied to interfaces, for traffic being sent across the IPSEC tunnel. Otherwise, if PIXFIREWALL had an access-list applied for incoming traffic on its outside interface, would be dropped unless explicitly permitted.
On your first question, i see that you already had a vpn tunnel set up between ASA and PIX. If tunnel was UP while you configured the vpn-filter command. If that's right, then you need to reset the tunnel to activate the vpn-filter meaning clear the tunnel and bring it back up.
Also, you don't really need to go for vpn-filter unless you specifically want to restrict the traffic on L4 or port-based traffic. All you can do is just allow specific ip addresses in the crypto vpn access rules.
Regards,
Mohit
12-12-2011 01:03 AM
HI Mohit,
I have ran the command - clear ipsec sa peer xx.xx.xx.xx. to clear the tunnel
but what command to use to bring tunnel up Or I need to recreate it from scrtch. ?
I have recreated the tunnel but still not able to allow vpn filter.
thanks
Amardeep
12-12-2011 01:07 AM
Hi,
reconfig for tunnel was not required just reset was required.
you can post your configuration someone can for sure take a look on that and sugestion missing part.
Thanks
Ajay
12-15-2011 06:36 AM
Hi Amardeep,
to bring up tunnel - run the interesting traffic, and tunnel will come up on matching the crypto acl.
i wanted to put this in my last reply but assumed you might have configured vpn-filter acl correctly. Just to confirm that you have created vpn-filter acl in the inbound direction meaning for traffic coming from outside to inside and not same as crypto/vpn acl which is from inside to outside.
Once the tunnel is up, run a continous ping across the tunnel and please share the o/p for "show vpn-sessiondb detail l2l".
Regards,
Mohit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide