Showing results for 
Search instead for 
Did you mean: 
Soeren Rosiak

Restrict Site-To-Site Access.

Hi there.

Got a very simple Site to Site VPN setup.

LAN1, |----ASA-----------------| INTERNET |-----------------ASA----|, LAN2

Is it some what possible to restrict access from LAN1 -> LAN2 over VPN.

How is this done? And on which unit is the ACL placed? Both ends?

Say i have HostA on LAN1 that want to access HostB on LAN2 on port 80.

And say i have HostB on LAN2 that want to access HostA on LAN1 on port 443

As per default as far as I know all access is allowed.


Jan Rolny


yes it is possible to limit access but it depends on how your asa is configured. I think by default option "sysopt connection permit-vpn" is enabled so any traffic passed tunnel an decryptet on remote site is allowed and bypass ACL control.

If you disable this option so it start control traffic by ACL defined in your ASA boxes.

Also "interesting " traffic which should be encrypted and pass tunnel is specified in crypto map.

Please se this link which describes sysopt option:

Best regards,


Hi Jan.

ATM the crypto map i just basic:

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

Would the best soloution be to only allow the specific traffic in the cryptomap acl, if this is possible at all?

Or to have a separate VPN-FILTER acl?



Hi Søren,

because there is mostly problem with configuring L2L tunnels and cryptomap and other thing must match to establish IPSec tunnel so I would leave your cryptomap simple.

You can use VPN-FILTER but I would disable sysopt connection permit-vpn and then create ACL for specific traffic.



Hi Jan.

Great that was my initial thought.

But i'm not sure how to implement this ACL.

I've read some places that the acl needs to be placed on the "outside" interface?

And i've read other places that it need's to be placed under the tunnelgroup?

Here is my config if that may help:


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


object-group network all_networks



object-group network inside_networks


object-group network remote_networks


access-list outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip object-group inside_networks object-group all_networks

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group outside_access_in in interface outside

route outside 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key xxxxx

Of course edited from the real config.

Hi Søren,

you already have ACL applied on outside interface is this command:

access-group outside_access_in in interface outside

And ACL is:

access-list outside_access_in extended permit icmp any any. In this case you have permited just ping.

So when you add next rules in ACL outside_access_in which will match traffic in your L2L tunnel so it should work.



Hi Jan.

I'm aware of that, it's just that Cisco's site states the following:

"An ACL that is used for a vpn-filter must not also be used for an interface access-group."



Yes you are right but i am talking about normal ACL without usign vpn-filter and sysopt disabled.

So if you want to use vpn-filter do it like document describes.



Hi Jan.

Ah okay.

So it would actually be possible to use my outside_access_in to define VPN traffic with the sysopt disabled?



Hi Søren,

yes it is possible to use your existing ACL. Please notice that traffic from LAN1 to LAN2 have to be denied on ASA2 and also if you want limit traffic from LAN2 to LAN1 you have to modify ACL on ASA1 because it is incoming traffic from outside to inside.



Please rate my posts if you consider they are helpful

Content for Community-Ad