Solved: Re: VPN Filter ACL

Mokhalil82 · ‎10-09-2019

Hi

I am configuring a IPSEC VPN and want to apply a VPN filter so users from network LOCAL-SITE can access services on REMOTE-SITE on ports group SITE-PORTS

So local, remote and port values are part of object groups. Which would be the correct way to do this for a VPN Filter, i believe this is different to configuring a port based ACL

access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group REMOTE-SITE object-group LOCAL-SITE

or

access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group LOCAL-SITE object-group REMOTE-SITE

or

does SITE-PORTS need to be anywhere else in the line

Thanks

Rob Ingram · ‎10-09-2019

Hi,

Yes, its the opposite logic to what you are used to configuring! The source is always the remote network/ports and the destination is the local network/ports.

Here is an example of what you should configure.

HTH

View solution in original post

Marius Gunnerud · ‎10-09-2019

This really depends on how you configure the ACL. The way you have configured it you just need to be aware of how you are configuring the service object as you will need to define the port as a destination port.

object-group service http-https tcp

service-object tcp destination eq http

service-object tcp destination eq https

access-list TEST-VPN-FILTER extended permit object-group http-https object-group LOCAL-SITE object-group REMOTE-SITE

Another way of doing this is the following:

object-group service http-https tcp

port-object eq http

port-object eq https

access-list TEST-VPN-FILTER extended permit tcp object-group LOCAL-SITE object-group REMOTE-SITE object-group http-https

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Rob Ingram · ‎10-09-2019

Hi,

Yes, its the opposite logic to what you are used to configuring! The source is always the remote network/ports and the destination is the local network/ports.

Here is an example of what you should configure.

HTH

Mokhalil82 · ‎10-09-2019

Hi

I had a look at the example, so what I want to know is then, if the REMOTE-SITE required access to resources on the LOCAL-SITE on ports SITE-PORTS, how would that be configured using the object groups. Would the object group SITE-PORTS move to the end of the ACL like:

access-list Test_VPN_Filter extended permit object-group REMOTE-SITE object-group LOCAL-SITE object-group SITE-PORTS

or

access-list Test_VPN_Filter extended permit object-group REMOTE-SITE object-group SITE-PORTS object-group LOCAL-SITE

Marius Gunnerud · ‎10-09-2019

Check my previous post, first example is how to configure when the port object-group is first and the second example is how to configure when the port object-group comes at the end of the ACL.

--
Please remember to select a correct answer and rate helpful posts

Mokhalil82 · ‎10-09-2019

Hi

There is some confusion form me on this, on examples I have seen state the source is always the Remote Network and the destination is the Local Network. My port group is also configured as:

object-group service SITE-PORTS
service-object tcp destination eq 3389
service-object tcp destination eq echo
service-object tcp destination eq www
service-object tcp destination eq https

So If I now use the ACL

access-list Test_VPN_Filter extended permit object-group SITE_PORTS object-group REMOTE-SITE object-group LOCAL-SITE

will this work for traffic sourced from any port on the LOCAL-SITE to services on specific ports on the REMOTE-SITE, or vice versa

Is it just better not to define a port group object and configure individual ACLs?

Thanks

Marius Gunnerud · ‎10-09-2019

Sorry, I copy pasted incorrectly the REMOTE-SITE and LOCAL-SITE. The VPN filter filters incoming VPN traffic so if this is being configured at the LOCAL-SITE then the source would be the REMOTE-SITE.

--
Please remember to select a correct answer and rate helpful posts

Mokhalil82 · ‎10-09-2019

Thanks Marius

So as I understand it then, the VPN filter only filters traffic incoming on the VPN which is why we define the source as the remote site. If using a port group defined as destination ports in the group ie service-object tcp destination eq 3389, then the port object group can be placed at the start of the ACL and will apply to any traffic flow but limit the destination ports to the ports defined in the group.

Marius Gunnerud · ‎10-09-2019

So as I understand it then, the VPN filter only filters traffic incoming on the VPN which is why we define the source as the remote site

You can also filter traffic before it enters the VPN (leaving the ASA), but the most common use case is to filter incoming traffic as this is usually considered traffic from the unsecured network.

If using a port group defined as destination ports in the group ie service-object tcp destination eq 3389, then the port object group can be placed at the start of the ACL and will apply to any traffic flow but limit the destination ports to the ports defined in the group.

Your understanding is correct.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎10-09-2019

This really depends on how you configure the ACL. The way you have configured it you just need to be aware of how you are configuring the service object as you will need to define the port as a destination port.

object-group service http-https tcp

service-object tcp destination eq http

service-object tcp destination eq https

access-list TEST-VPN-FILTER extended permit object-group http-https object-group LOCAL-SITE object-group REMOTE-SITE

Another way of doing this is the following:

object-group service http-https tcp

port-object eq http

port-object eq https

access-list TEST-VPN-FILTER extended permit tcp object-group LOCAL-SITE object-group REMOTE-SITE object-group http-https

--
Please remember to select a correct answer and rate helpful posts