Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
5
Replies

vpn-filter and interfac acl restriction

abcdrohan
Beginner
Beginner

‎09-26-2012 11:27 AM

So site A has 192.168.1.0/24 on inside and site B has 192.168.2.0/24 on it's inside

We have ipsec L2L tunnel. We want filtering so that only ssh traffic goes over vpn (bidirectional)

on inside int of site A we have

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

Crypto acl on site A is permit ip 192.168.1.0/24 to 192.168.2.0/24

Assume that site B has permit ip any any on all of it's interfaces and is not using vpn-filters. Crypto acl on B is a simple permit ip from .2 to .1

Both ASAs have sysopt permit-vpn enabled

Now to restrict siteB to be able to connect to port 22 only of site A, do we need vpn-filter or  already existing

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22 would take care of that?

I believe

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

would take care of filtering traffic inititated from A but to restrict vpn traffic only to ssh when it's initiated from site B, we will need the filter as

on site A, vpn-filter permit tcp 192.168.2.0/24 192.168.1.0/24 eq 22

Am I correct or we don't need vpn-filter?

Thanks!

Labels:
0 Helpful
5 Replies 5