Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
5
Replies

Implementing vpn-filter Cisco ASA 8.2(1)

Jeroen Epema
Level 1
Level 1

‎08-15-2013 06:10 AM

Hi there,

I have configured a vpn-filter which should allow a RDP connection to just one server and block all other traffic. The direction of the traffic is from the local subnet to the remote host.

Local subnet     192.168.5.0/24

Remote host     192.168.253.x

My access-list looks like this:

access-list l2l_ACL permit tcp host 192.168.253.200 eq 3389 192.168.5.0 255.255.255.0

Created a group-policy:

group-policy L2L_IGP internal

group-policy L2L_IGP attributes

vpn-filter value l2l_ACL

Applied the group-policy to the tunnel-group:

tunnel-group x.x.x.x general-attributes

default-group-policy L2L_IGP

I don't have anything configured regarding the statement "sysopt connection permit-vpn", i assume it's on by default.

Now, when i initiate a RDP to 192.168.254.x, i get a connection. It seems to me that the traffic is bypassed for some reason.

Any thoughts?

Regards

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎08-15-2013 06:19 AM

Hi,

Can you post the output of

show run all sysopt

This will list the current setting for

sysopt connection permit-vpn

So are you saying that you LAN Users are connecting to the remote server with RDP and you want to limit this to only destination IP?

Are you also saying the LAN users are also able to connect to other remote IPs?

Can you also post the output of

show access-list l2l_ACL permit

- Jouni

0 Helpful

Jeroen Epema
Level 1
Level 1
In response to Jouni Forss

‎08-15-2013 06:47 AM

Hi Jouni,

Thanks for your quick reply.

Output "show run all sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp outside

no sysopt noproxyarp dmz

no sysopt noproxyarp intern

no sysopt noproxyarp wds

no sysopt noproxyarp test

no sysopt noproxyarp guest

no sysopt noproxyarp management

I just want to allow a RDP connection to the remote host as mentioned. And yes, they can also connect to other remote IPs.

Output "show access-list l2l_ACL" (the permit option doesn't work)

access-list l2l_ACL line 1 extended permit tcp host 192.168.253.200 eq 3389 192.168.5.0 255.255.255.0 (hitcnt=0) 0xf2d72120

Regards

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to Jouni Forss

‎08-15-2013 07:47 AM

Post config

Jawad

Jawad
0 Helpful

Jeroen Epema
Level 1
Level 1

‎08-16-2013 06:23 AM

Hi,

Strange things have happened...

For whatever reason suddenly this morning the configured ACL, mentioned in my first post, is working . Because this ACL was for testing purposes,i removed it. But that didn't work either, it looked to me like it kept the configured ACL.

I will post my config soon.

Regards

0 Helpful

Jeroen Epema
Level 1
Level 1

‎08-29-2013 02:31 PM

Hi,

I have replaced the ASA with another one (new version as well, 9.0.2). I am gonna try the same thing on this device, will get back if the problem comes back on this one.

Regards

0 Helpful
Customers Also Viewed These Support Documents