Solved: Site2Site VPN ASA 5505 - only allow established traffic in

Steffen Frederiksen · ‎06-17-2013

Hi

I have a ikev1/Ipsec tunnel between two ASA's.

One with local network 10.31.0.0/16

The other with local network 172.21.0.0/24

But i would like that only traffic that is initiated from 10.31.0.0/16 is allowed from 172.21.0.0/24 to 10.31.0.0/16 is that possible?

(only answer back to 10.31.0.0/16 is allow from that remote network 172.21.0.0/24)

Regards, Steffen.

Jouni Forss · ‎06-17-2013

Hi,

If I didnt understand anything wrong in the above question then I think you might be able to do the following on the ASA with the 10.31.0.0/16 local network.

The ASA has the following global configuration which is the default setting if you have not changed it

sysopt connection permit-vpn

This WONT show in the CLI configuration since the above is the default setting.

You can check it with the command

show run all sysopt

This will even list the default setting

Now what this configuration essentially does is allow ANY traffic that is coming through a VPN connection to get through the ASA interface ACLs. So in your case at the site where the ASA with the 10.31.0.0/16 network is, the ASA would allow any connections to come through from the other sites network of 172.21.0.0/24 (provided it was allowed on the other sites ASAs LAN interface ACL)

What you could do is insert the following configuration

no sysopt connection permit-vpn

What this would do is require you to ALLOW ANY traffic that is coming through the VPN Connection through the "outside" interface of the ASA that you want to pass.(which I presume is the name of your current interface that handles the VPN connections). In other words, VPN traffic wouldnt be given a "free pass" to get through the interface ACL of "outside", instead you would need to allow it like any other traffic coming from the Internet.

If you should decide to do this then you MUST CONSIDER the following thing. If you have ANY other VPN connections like other L2L VPN or VPN Client connections THEN you must first allow their traffic in your "outside" interface ACL to pass the ASA to the local LAN network. If you dont do this and insert the above configuration you will notice that traffic will start to get blocked by the "outside" interface ACL (or if you dont have an ACL configured then the ASAs "security-level" will naturally block the traffic in the same manner as an ACL would)

So if we presume that the L2L VPN is the only connection you had configured on the ASA with 10.31.0.0/16 then the following changes would happen.

Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided the LAN interfaces ACL allowed this traffic
Return traffic for this connection would naturally be allow through the same ASA just like any other traffic.
IF some inbound connection was coming towards the ASA with 10.31.0.0/16 network from the 172.21.0.0/24 network, it would get blocked UNLESS you ALLOW it on the "outside" interfaces ACL

Hope this made sense and helped

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-17-2013

Hi,

If I didnt understand anything wrong in the above question then I think you might be able to do the following on the ASA with the 10.31.0.0/16 local network.

The ASA has the following global configuration which is the default setting if you have not changed it

sysopt connection permit-vpn

This WONT show in the CLI configuration since the above is the default setting.

You can check it with the command

show run all sysopt

This will even list the default setting

Now what this configuration essentially does is allow ANY traffic that is coming through a VPN connection to get through the ASA interface ACLs. So in your case at the site where the ASA with the 10.31.0.0/16 network is, the ASA would allow any connections to come through from the other sites network of 172.21.0.0/24 (provided it was allowed on the other sites ASAs LAN interface ACL)

What you could do is insert the following configuration

no sysopt connection permit-vpn

What this would do is require you to ALLOW ANY traffic that is coming through the VPN Connection through the "outside" interface of the ASA that you want to pass.(which I presume is the name of your current interface that handles the VPN connections). In other words, VPN traffic wouldnt be given a "free pass" to get through the interface ACL of "outside", instead you would need to allow it like any other traffic coming from the Internet.

If you should decide to do this then you MUST CONSIDER the following thing. If you have ANY other VPN connections like other L2L VPN or VPN Client connections THEN you must first allow their traffic in your "outside" interface ACL to pass the ASA to the local LAN network. If you dont do this and insert the above configuration you will notice that traffic will start to get blocked by the "outside" interface ACL (or if you dont have an ACL configured then the ASAs "security-level" will naturally block the traffic in the same manner as an ACL would)

So if we presume that the L2L VPN is the only connection you had configured on the ASA with 10.31.0.0/16 then the following changes would happen.

Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided the LAN interfaces ACL allowed this traffic
Return traffic for this connection would naturally be allow through the same ASA just like any other traffic.
IF some inbound connection was coming towards the ASA with 10.31.0.0/16 network from the 172.21.0.0/24 network, it would get blocked UNLESS you ALLOW it on the "outside" interfaces ACL

Hope this made sense and helped

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni