Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
949
Views
0
Helpful
5
Replies

vpn-filter and interfac acl restriction

abcdrohan
Level 1
Level 1

‎09-26-2012 11:27 AM

So site A has 192.168.1.0/24 on inside and site B has 192.168.2.0/24 on it's inside

We have ipsec L2L tunnel. We want filtering so that only ssh traffic goes over vpn (bidirectional)

on inside int of site A we have

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

Crypto acl on site A is permit ip 192.168.1.0/24 to 192.168.2.0/24

Assume that site B has permit ip any any on all of it's interfaces and is not using vpn-filters. Crypto acl on B is a simple permit ip from .2 to .1

Both ASAs have sysopt permit-vpn enabled

Now to restrict siteB to be able to connect to port 22 only of site A, do we need vpn-filter or  already existing

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22 would take care of that?

I believe

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

would take care of filtering traffic inititated from A but to restrict vpn traffic only to ssh when it's initiated from site B, we will need the filter as

on site A, vpn-filter permit tcp 192.168.2.0/24 192.168.1.0/24 eq 22

Am I correct or we don't need vpn-filter?

Thanks!

Labels:
0 Helpful
5 Replies 5

Javier Portuguez
Level 9
Level 9

‎09-26-2012 11:37 AM

Greetings,

At this point it is up to you.

You could either use the filter or the access-group.

The benefit of using the access-group on the inside interface is that the traffic does not even flow across the tunnel, so you save bandwidth resources.

Keep me posted.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez

0 Helpful

abcdrohan
Level 1
Level 1
In response to Javier Portuguez

‎09-26-2012 11:42 AM

I think I wasn't clear with my question

What about traffic initiated by the other side though?

Non-ssh traffic from side B would come through ove rthe vpn and hit the box on side A. When side A replies, would that traffic go through because of stateful nature irrespective of

acl_inside_site_A line 1 permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

acl_inside_site_A line 2  deny tcp  192.168.1.0/24  192.168.2.0/24 

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to abcdrohan

‎09-26-2012 11:51 AM

If you are not going to add the ACL's on both sides then the VPN filter is the best option.

0 Helpful

abcdrohan
Level 1
Level 1
In response to Javier Portuguez

‎09-26-2012 12:03 PM

I am not concerned about the best option.

I wish to know if it would actually work the way I stated

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to abcdrohan

‎09-26-2012 12:48 PM

It should work with the ACL as well, since you are only allowing SSH.

0 Helpful
Top