06-17-2013 05:11 AM
Hi
I have a ikev1/Ipsec tunnel between two ASA's.
One with local network 10.31.0.0/16
The other with local network 172.21.0.0/24
But i would like that only traffic that is initiated from 10.31.0.0/16 is allowed from 172.21.0.0/24 to 10.31.0.0/16 is that possible?
(only answer back to 10.31.0.0/16 is allow from that remote network 172.21.0.0/24)
Regards, Steffen.
Solved! Go to Solution.
06-17-2013 05:26 AM
Hi,
If I didnt understand anything wrong in the above question then I think you might be able to do the following on the ASA with the 10.31.0.0/16 local network.
The ASA has the following global configuration which is the default setting if you have not changed it
sysopt connection permit-vpn
This WONT show in the CLI configuration since the above is the default setting.
You can check it with the command
show run all sysopt
This will even list the default setting
Now what this configuration essentially does is allow ANY traffic that is coming through a VPN connection to get through the ASA interface ACLs. So in your case at the site where the ASA with the 10.31.0.0/16 network is, the ASA would allow any connections to come through from the other sites network of 172.21.0.0/24 (provided it was allowed on the other sites ASAs LAN interface ACL)
What you could do is insert the following configuration
no sysopt connection permit-vpn
What this would do is require you to ALLOW ANY traffic that is coming through the VPN Connection through the "outside" interface of the ASA that you want to pass.(which I presume is the name of your current interface that handles the VPN connections). In other words, VPN traffic wouldnt be given a "free pass" to get through the interface ACL of "outside", instead you would need to allow it like any other traffic coming from the Internet.
If you should decide to do this then you MUST CONSIDER the following thing. If you have ANY other VPN connections like other L2L VPN or VPN Client connections THEN you must first allow their traffic in your "outside" interface ACL to pass the ASA to the local LAN network. If you dont do this and insert the above configuration you will notice that traffic will start to get blocked by the "outside" interface ACL (or if you dont have an ACL configured then the ASAs "security-level" will naturally block the traffic in the same manner as an ACL would)
So if we presume that the L2L VPN is the only connection you had configured on the ASA with 10.31.0.0/16 then the following changes would happen.
Hope this made sense and helped
Please do remember to mark the reply as the correct answer if it answered your question.
Naturally ask more if needed
- Jouni
06-17-2013 05:26 AM
Hi,
If I didnt understand anything wrong in the above question then I think you might be able to do the following on the ASA with the 10.31.0.0/16 local network.
The ASA has the following global configuration which is the default setting if you have not changed it
sysopt connection permit-vpn
This WONT show in the CLI configuration since the above is the default setting.
You can check it with the command
show run all sysopt
This will even list the default setting
Now what this configuration essentially does is allow ANY traffic that is coming through a VPN connection to get through the ASA interface ACLs. So in your case at the site where the ASA with the 10.31.0.0/16 network is, the ASA would allow any connections to come through from the other sites network of 172.21.0.0/24 (provided it was allowed on the other sites ASAs LAN interface ACL)
What you could do is insert the following configuration
no sysopt connection permit-vpn
What this would do is require you to ALLOW ANY traffic that is coming through the VPN Connection through the "outside" interface of the ASA that you want to pass.(which I presume is the name of your current interface that handles the VPN connections). In other words, VPN traffic wouldnt be given a "free pass" to get through the interface ACL of "outside", instead you would need to allow it like any other traffic coming from the Internet.
If you should decide to do this then you MUST CONSIDER the following thing. If you have ANY other VPN connections like other L2L VPN or VPN Client connections THEN you must first allow their traffic in your "outside" interface ACL to pass the ASA to the local LAN network. If you dont do this and insert the above configuration you will notice that traffic will start to get blocked by the "outside" interface ACL (or if you dont have an ACL configured then the ASAs "security-level" will naturally block the traffic in the same manner as an ACL would)
So if we presume that the L2L VPN is the only connection you had configured on the ASA with 10.31.0.0/16 then the following changes would happen.
Hope this made sense and helped
Please do remember to mark the reply as the correct answer if it answered your question.
Naturally ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide