05-01-2012 10:15 PM
Hi All,
I am accessing my office networking throught RAS VPN as i have a static ip on my home modem,Now i want to create an access-list so that i should be able to access my office network through that static ip only ,I tried with given below ACL'S on my office firewall but it did not work for me.
Example access-list 101 permit udp host 10.0.0.1 interface outside eq 500
access-list 101 permit esp host 10.0.0.1 interface outside
access-group 101 in interface outside
Any idea,
Thanks inadvance
Regards
Tash
Solved! Go to Solution.
05-02-2012 04:53 PM
Hello Guys,
Tash, so you say that now you purchased an static IP for your home and now you want your ASA to only accept that IP. you are using the Cisco VPN Client right?
Amatahen, you are right the sysopt connection permit-vpn will allow the encrypted traffic to bypass the access-group but this is not encrypted traffic but negotiation traffic, since this is AM we´re gonna use 3 packets (UDP 500 but if any side is behind NAT packet #2 and #3 will go in UDP 4500 instead of 500)
The access-group filters through-the-box traffic NOT to-the-box traffic so in order to accomplish this you would need to create an access-group allowing your home IP but the trick is that your access-group must be configured with the control-plane keyword at the end. Be careful, you will also need to allow ssh, https, etc depending on the services you are running on that device.
Regards,
05-02-2012 05:48 AM
Hello Tash,
By default, all encrypted traffic bypass interface access-list as per command:
sysopt connection permit-vpn
Which is not available in the "Show Run" but you can see it with "Show run all"
disable it and then you will be able to control VPN based on the ACL, keep in mind, if you are using IPsec Remote Access VPN Client, you will need to open udp port 4500.
HTH
AMatahen
05-02-2012 09:13 AM
Hi AMatahen,
Thanks for your prompt reply
I tried to access RAS VPN with different Source IP (different service provider) but still i am able to access the outside interface of firewall,And i coud not see any hit count on the applied access-list.
Regards
Tash
05-02-2012 04:53 PM
Hello Guys,
Tash, so you say that now you purchased an static IP for your home and now you want your ASA to only accept that IP. you are using the Cisco VPN Client right?
Amatahen, you are right the sysopt connection permit-vpn will allow the encrypted traffic to bypass the access-group but this is not encrypted traffic but negotiation traffic, since this is AM we´re gonna use 3 packets (UDP 500 but if any side is behind NAT packet #2 and #3 will go in UDP 4500 instead of 500)
The access-group filters through-the-box traffic NOT to-the-box traffic so in order to accomplish this you would need to create an access-group allowing your home IP but the trick is that your access-group must be configured with the control-plane keyword at the end. Be careful, you will also need to allow ssh, https, etc depending on the services you are running on that device.
Regards,
05-02-2012 09:40 PM
Hi Gustavo,
Thanks for your reply,That's exactly what i want,Now could you please provide me the command structure for the same as i have used below given commands,but it did not work for me
access-list 101 permit udp host 10.0.0.1 interface outside eq 500
access-list 101 permit esp host 10.0.0.1 interface outside
access-group 101 in interface outside
Hence the traffic is to the firewall not through ..So how can i bind it with control plane traffic..
awating your reply.
Regards
Tash.
05-02-2012 11:25 PM
Thanks a ton Gustavo...Got it ...
Regards
Tash
05-03-2012 07:52 AM
Cool!! Glad to know it worked!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide