Solved: VPN connection for accesing a server on HTTP port only

Igor Rodriguez · ‎03-11-2013

Hello,

We have ASA5520 and we want to configure a VPN IPSEC profile so that a partner of ours can access only a server and only on HTTP port.

I've tried configuring split tunneling with an Extended ACL but probably I'm missing something. I just configured the ACL so that it included any source to our server's IP on HTTP port but when testing, it didn't work.

However, if I configure a Standard ACL on the split tunneling I can access the server and all the services it provides.

Do you know if I'm missing anything on the Extended ACL configuration?

Should I configure this any other way?

Thanks in advance.

Best regards,

Igor

Javier Portuguez · ‎03-11-2013

Hi Igor,

For this, you need to use a VPN filter.

Please check this out:

PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

* The split-tunneling should be a Standard ACL.

HTH.

Portu.

Dont forget to rate any helpful posts.

View solution in original post

Andrew Phirsov · ‎03-11-2013

Extended acl with port-numbers specified won't work for split tunnelling, cause split-tunnel config affects what routing information should be installed to the client PC. And it can't be dependent on ports.

For your task you can split tunnel traffic to your server, but to restrict access to specific (http) port, you have to use filter-acl, applied to group-policy or user:

access-list RESTRICT_VPN_ACCESS extended permit tcp any host 2.2.2.2 eq http

username parter_user1 attributes

vpn-filter value RESTRICT_VPN_ACCESS

or, for group policy:

group-policy PARTNERS_GP attributes

vpn-filter value RESTRICT_VPN_ACCESS

View solution in original post

Javier Portuguez · ‎03-11-2013

Hi Igor,

For this, you need to use a VPN filter.

Please check this out:

PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

* The split-tunneling should be a Standard ACL.

HTH.

Portu.

Dont forget to rate any helpful posts.

Igor Rodriguez · ‎03-11-2013

Thanks jportugu.

I thought there should be anything I was missing.

What I don't understand though is why ASDM lets you use Extended ACLs on Split Tunneling if it's not the way it should be configured.

Javier Portuguez · ‎03-11-2013

BTW, the ASDM lets you do it, because it works fine.

But, this split-tunneling ACL is not a FW rule, it only lets the client know which networks to send over the VPN tunnel.

So, there is not need to have an extended ACL in place.

I hope it answers your question

Portu.

Andrew Phirsov · ‎03-11-2013

Extended acl with port-numbers specified won't work for split tunnelling, cause split-tunnel config affects what routing information should be installed to the client PC. And it can't be dependent on ports.

For your task you can split tunnel traffic to your server, but to restrict access to specific (http) port, you have to use filter-acl, applied to group-policy or user:

access-list RESTRICT_VPN_ACCESS extended permit tcp any host 2.2.2.2 eq http

username parter_user1 attributes

vpn-filter value RESTRICT_VPN_ACCESS

or, for group policy:

group-policy PARTNERS_GP attributes

vpn-filter value RESTRICT_VPN_ACCESS

Igor Rodriguez · ‎03-11-2013

Thanks Andrew.

Same as jportugu

I really appreciate your help.

Regards,

Igor

Javier Portuguez · ‎03-11-2013

You are very welcome

Have a good one!