cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
5
Replies

vpn-filter and interfac acl restriction

abcdrohan
Level 1
Level 1

So site A has 192.168.1.0/24 on inside and site B has 192.168.2.0/24 on it's inside

We have ipsec L2L tunnel. We want filtering so that only ssh traffic goes over vpn (bidirectional)

on inside int of site A we have

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

Crypto acl on site A is permit ip 192.168.1.0/24 to 192.168.2.0/24

Assume that site B has permit ip any any on all of it's interfaces and is not using vpn-filters. Crypto acl on B is a simple permit ip from .2 to .1

Both ASAs have sysopt permit-vpn enabled

Now to restrict siteB to be able to connect to port 22 only of site A, do we need vpn-filter or  already existing

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22 would take care of that?

I believe

acl_inside_site_A permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

would take care of filtering traffic inititated from A but to restrict vpn traffic only to ssh when it's initiated from site B, we will need the filter as

on site A, vpn-filter permit tcp 192.168.2.0/24 192.168.1.0/24 eq 22

Am I correct or we don't need vpn-filter?

Thanks!

5 Replies 5

Greetings,

At this point it is up to you.

You could either use the filter or the access-group.

The benefit of using the access-group on the inside interface is that the traffic does not even flow across the tunnel, so you save bandwidth resources.

Keep me posted.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez

I think I wasn't clear with my question

What about traffic initiated by the other side though?

Non-ssh traffic from side B would come through ove rthe vpn and hit the box on side A. When side A replies, would that traffic go through because of stateful nature irrespective of

acl_inside_site_A line 1 permit tcp  192.168.1.0/24  192.168.2.0/24 eq 22

acl_inside_site_A line 2  deny tcp  192.168.1.0/24  192.168.2.0/24 

If you are not going to add the ACL's on both sides then the VPN filter is the best option.

I am not concerned about the best option.

I wish to know if it would actually work the way I stated

It should work with the ACL as well, since you are only allowing SSH.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: