03-11-2013 08:56 AM
Hello,
We have ASA5520 and we want to configure a VPN IPSEC profile so that a partner of ours can access only a server and only on HTTP port.
I've tried configuring split tunneling with an Extended ACL but probably I'm missing something. I just configured the ACL so that it included any source to our server's IP on HTTP port but when testing, it didn't work.
However, if I configure a Standard ACL on the split tunneling I can access the server and all the services it provides.
Do you know if I'm missing anything on the Extended ACL configuration?
Should I configure this any other way?
Thanks in advance.
Best regards,
Igor
Solved! Go to Solution.
03-11-2013 09:35 AM
Hi Igor,
For this, you need to use a VPN filter.
Please check this out:
* The split-tunneling should be a Standard ACL.
HTH.
Portu.
Dont forget to rate any helpful posts.
03-11-2013 09:39 AM
Extended acl with port-numbers specified won't work for split tunnelling, cause split-tunnel config affects what routing information should be installed to the client PC. And it can't be dependent on ports.
For your task you can split tunnel traffic to your server, but to restrict access to specific (http) port, you have to use filter-acl, applied to group-policy or user:
access-list RESTRICT_VPN_ACCESS extended permit tcp any host 2.2.2.2 eq http
username parter_user1 attributes
vpn-filter value RESTRICT_VPN_ACCESS
or, for group policy:
group-policy PARTNERS_GP attributes
vpn-filter value RESTRICT_VPN_ACCESS
03-11-2013 09:35 AM
Hi Igor,
For this, you need to use a VPN filter.
Please check this out:
* The split-tunneling should be a Standard ACL.
HTH.
Portu.
Dont forget to rate any helpful posts.
03-11-2013 09:40 AM
Thanks jportugu.
I thought there should be anything I was missing.
What I don't understand though is why ASDM lets you use Extended ACLs on Split Tunneling if it's not the way it should be configured.
03-11-2013 09:47 AM
BTW, the ASDM lets you do it, because it works fine.
But, this split-tunneling ACL is not a FW rule, it only lets the client know which networks to send over the VPN tunnel.
So, there is not need to have an extended ACL in place.
I hope it answers your question
Portu.
03-11-2013 09:39 AM
Extended acl with port-numbers specified won't work for split tunnelling, cause split-tunnel config affects what routing information should be installed to the client PC. And it can't be dependent on ports.
For your task you can split tunnel traffic to your server, but to restrict access to specific (http) port, you have to use filter-acl, applied to group-policy or user:
access-list RESTRICT_VPN_ACCESS extended permit tcp any host 2.2.2.2 eq http
username parter_user1 attributes
vpn-filter value RESTRICT_VPN_ACCESS
or, for group policy:
group-policy PARTNERS_GP attributes
vpn-filter value RESTRICT_VPN_ACCESS
03-11-2013 09:42 AM
Thanks Andrew.
Same as jportugu
I really appreciate your help.
Regards,
Igor
03-11-2013 09:44 AM
You are very welcome
Have a good one!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide