02-19-2014 06:54 AM
Hi there.
Got a very simple Site to Site VPN setup.
LAN1, 172.16.0.0/24 |----ASA-----------------| INTERNET |-----------------ASA----|192.168.0.0/24, LAN2
Is it some what possible to restrict access from LAN1 -> LAN2 over VPN.
How is this done? And on which unit is the ACL placed? Both ends?
Say i have HostA on LAN1 that want to access HostB on LAN2 on port 80.
And say i have HostB on LAN2 that want to access HostA on LAN1 on port 443
As per default as far as I know all access is allowed.
Thanks!
02-19-2014 07:33 AM
Hi,
yes it is possible to limit access but it depends on how your asa is configured. I think by default option "sysopt connection permit-vpn" is enabled so any traffic passed tunnel an decryptet on remote site is allowed and bypass ACL control.
If you disable this option so it start control traffic by ACL defined in your ASA boxes.
Also "interesting " traffic which should be encrypted and pass tunnel is specified in crypto map.
Please se this link which describes sysopt option:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html
Best regards,
Jan
02-19-2014 07:44 AM
Hi Jan.
ATM the crypto map i just basic:
access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks
Would the best soloution be to only allow the specific traffic in the cryptomap acl, if this is possible at all?
Or to have a separate VPN-FILTER acl?
Regards,
Søren
02-19-2014 08:13 AM
Hi Søren,
because there is mostly problem with configuring L2L tunnels and cryptomap and other thing must match to establish IPSec tunnel so I would leave your cryptomap simple.
You can use VPN-FILTER but I would disable sysopt connection permit-vpn and then create ACL for specific traffic.
HTH,
Jan
02-19-2014 09:46 AM
Hi Jan.
Great that was my initial thought.
But i'm not sure how to implement this ACL.
I've read some places that the acl needs to be placed on the "outside" interface?
And i've read other places that it need's to be placed under the tunnelgroup?
Here is my config if that may help:
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.3 255.255.255.0
!
object-group network all_networks
network-object 172.16.0.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
object-group network inside_networks
network-object 172.16.0.0 255.255.255.0
object-group network remote_networks
network-object 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip object-group inside_networks object-group all_networks
access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key xxxxx
Of course edited from the real config.
02-20-2014 01:25 AM
Hi Søren,
you already have ACL applied on outside interface is this command:
access-group outside_access_in in interface outside
And ACL is:
access-list outside_access_in extended permit icmp any any. In this case you have permited just ping.
So when you add next rules in ACL outside_access_in which will match traffic in your L2L tunnel so it should work.
Regards,
Jan
02-20-2014 03:43 AM
Hi Jan.
I'm aware of that, it's just that Cisco's site states the following:
"An ACL that is used for a vpn-filter must not also be used for an interface access-group."
Regards,
Søren
02-20-2014 05:19 AM
Yes you are right but i am talking about normal ACL without usign vpn-filter and sysopt disabled.
So if you want to use vpn-filter do it like document describes.
Regards,
Jan
02-20-2014 05:27 AM
Hi Jan.
Ah okay.
So it would actually be possible to use my outside_access_in to define VPN traffic with the sysopt disabled?
Regards,
Søren
02-20-2014 12:31 PM
Hi Søren,
yes it is possible to use your existing ACL. Please notice that traffic from LAN1 to LAN2 have to be denied on ASA2 and also if you want limit traffic from LAN2 to LAN1 you have to modify ACL on ASA1 because it is incoming traffic from outside to inside.
Ragrds,
Jan
Please rate my posts if you consider they are helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide