10-09-2019 06:26 AM
Hi
I am configuring a IPSEC VPN and want to apply a VPN filter so users from network LOCAL-SITE can access services on REMOTE-SITE on ports group SITE-PORTS
So local, remote and port values are part of object groups. Which would be the correct way to do this for a VPN Filter, i believe this is different to configuring a port based ACL
access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group REMOTE-SITE object-group LOCAL-SITE
or
access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group LOCAL-SITE object-group REMOTE-SITE
or
does SITE-PORTS need to be anywhere else in the line
Thanks
Solved! Go to Solution.
10-09-2019 06:33 AM
Hi,
Yes, its the opposite logic to what you are used to configuring! The source is always the remote network/ports and the destination is the local network/ports.
Here is an example of what you should configure.
HTH
10-09-2019 06:50 AM
This really depends on how you configure the ACL. The way you have configured it you just need to be aware of how you are configuring the service object as you will need to define the port as a destination port.
object-group service http-https tcp
service-object tcp destination eq http
service-object tcp destination eq https
access-list TEST-VPN-FILTER extended permit object-group http-https object-group LOCAL-SITE object-group REMOTE-SITE
Another way of doing this is the following:
object-group service http-https tcp
port-object eq http
port-object eq https
access-list TEST-VPN-FILTER extended permit tcp object-group LOCAL-SITE object-group REMOTE-SITE object-group http-https
10-09-2019 06:33 AM
Hi,
Yes, its the opposite logic to what you are used to configuring! The source is always the remote network/ports and the destination is the local network/ports.
Here is an example of what you should configure.
HTH
10-09-2019 06:51 AM
Hi
I had a look at the example, so what I want to know is then, if the REMOTE-SITE required access to resources on the LOCAL-SITE on ports SITE-PORTS, how would that be configured using the object groups. Would the object group SITE-PORTS move to the end of the ACL like:
access-list Test_VPN_Filter extended permit object-group REMOTE-SITE object-group LOCAL-SITE object-group SITE-PORTS
or
access-list Test_VPN_Filter extended permit object-group REMOTE-SITE object-group SITE-PORTS object-group LOCAL-SITE
10-09-2019 06:54 AM - edited 10-09-2019 06:55 AM
Check my previous post, first example is how to configure when the port object-group is first and the second example is how to configure when the port object-group comes at the end of the ACL.
10-09-2019 07:07 AM
Hi
There is some confusion form me on this, on examples I have seen state the source is always the Remote Network and the destination is the Local Network. My port group is also configured as:
object-group service SITE-PORTS
service-object tcp destination eq 3389
service-object tcp destination eq echo
service-object tcp destination eq www
service-object tcp destination eq https
So If I now use the ACL
access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group REMOTE-SITE object-group LOCAL-SITE
will this work for traffic sourced from any port on the LOCAL-SITE to services on specific ports on the REMOTE-SITE, or vice versa
Is it just better not to define a port group object and configure individual ACLs?
Thanks
10-09-2019 07:23 AM
Sorry, I copy pasted incorrectly the REMOTE-SITE and LOCAL-SITE. The VPN filter filters incoming VPN traffic so if this is being configured at the LOCAL-SITE then the source would be the REMOTE-SITE.
10-09-2019 07:34 AM
Thanks Marius
So as I understand it then, the VPN filter only filters traffic incoming on the VPN which is why we define the source as the remote site. If using a port group defined as destination ports in the group ie service-object tcp destination eq 3389, then the port object group can be placed at the start of the ACL and will apply to any traffic flow but limit the destination ports to the ports defined in the group.
10-09-2019 08:05 AM
So as I understand it then, the VPN filter only filters traffic incoming on the VPN which is why we define the source as the remote site
You can also filter traffic before it enters the VPN (leaving the ASA), but the most common use case is to filter incoming traffic as this is usually considered traffic from the unsecured network.
If using a port group defined as destination ports in the group ie service-object tcp destination eq 3389, then the port object group can be placed at the start of the ACL and will apply to any traffic flow but limit the destination ports to the ports defined in the group.
Your understanding is correct.
10-09-2019 06:50 AM
This really depends on how you configure the ACL. The way you have configured it you just need to be aware of how you are configuring the service object as you will need to define the port as a destination port.
object-group service http-https tcp
service-object tcp destination eq http
service-object tcp destination eq https
access-list TEST-VPN-FILTER extended permit object-group http-https object-group LOCAL-SITE object-group REMOTE-SITE
Another way of doing this is the following:
object-group service http-https tcp
port-object eq http
port-object eq https
access-list TEST-VPN-FILTER extended permit tcp object-group LOCAL-SITE object-group REMOTE-SITE object-group http-https
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide