04-22-2010 06:50 AM
Hi Guys
Could anyone help me with the following issue?
I want to filter traffic between two ezvpn (ios) clients. The hub is an ASA running 8.04 code.
client1 is allowed to access the local networks of client2, but client2 is not allowed to access client1 local subnet. both clients are allowed to access the inside network of the asa
Both client networks are known to the ASA by means of RRI.
I read that in vpn-filter acl the source part is used for the remote network and the destination part for the local network.
I was thinking of using the vpn-filter feature and link it to the user1 and user2 account. Something like this:
!
username user1 password pwd1
username user1 attributes
vpn-filer acl1
!
username user2 password pwd1
username user2 attributes
vpn-filer acl2
!
access-list acl1 ip permit any any
!
access-list acl2 ip permit subnet1 mask1 inside_net inside_mask
Unfortuantly this is not working....why...? any ideas how to fix this?
Regards
Hielke
04-22-2010 11:19 AM
Hi,
Are the EzVPN clients in NEW or Client-mode?
As for now, both clients can access each other's LAN correct?
Are you getting hitcounts on the acl1 and acl2 when sending traffic?
Federico.
04-22-2010 11:57 PM
Hi Federico,
Thx for your reply, both clients are in NEM mode.
Both clients can reach the inside network. But client1 can't reach the inside network of client2 (which it should)
When I'm sourcing a ping from client1 inside netwerk to client2 inside network , the acl1 counter is increasing, acl2 counter not.
Hope this helps...?
Regards
Hielke
04-23-2010 07:17 AM
If the IOS clients are in NEM mode that means they keep their IP addresses.
So, client1 LAN should reach client2 LAN through the ASA correct?
In order to allow client1 to reach client2 through the ASA, several things need to happen:
1. The ASA should have the same security permit intra-interface command
2. The client1 LAN should be encrypted in an ACL that goes to client2 tunnel (and vice versa).
3. The NAT and route rules should be properly configured.
Is it possible for you to attach the configs?
Federico.
04-26-2010 11:43 PM
Hi Federico,
I agree both clients should be able to reach each other inside network. In fact this is indeed the case if I don't use any filter acl at all.
So
1. Yes permit intra-interface is in the cfg
2. ??? this is ezvpn there is no crypto acl
3. I checked on NAT, client and ASA NAT (exempt) is working fine. Proof is the fact that things are working without any acl.
So I think it boils down to the definition and posibilties of defining a filter acl. The probleem is how do I define local and remote with regards to intra client traffic. To make things worse I read the acl is bidirectional......
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide