We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate.
A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning).
The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet. I would appreciate any assistance.
Corporate office: 10.0.0.0 255.0.0.0
Remote office: 172.20.1.0 255.255.255.0
Vendor network: 192.168.0.0 255.255.0.0
access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 23
access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100
group-policy Vendor-filter-policy internal
group-policy Vendor-filter-policy attributes
vpn-filter value Vendor-filter
tunnel-group xxx.xxx.xxx.xxx general-attributes
Solved! Go to Solution.
Jennifer, thanks for the reply. This scenario is the same as the following discussion as I thought it was a good idea to post another discussion since it's a different issue:
Thanks for the reply.
To understand this vpn-filter-ACL. it's important to know, that they do not use source and destination, but remote and local. Because the port 23 for the connection to the vendor is used on the remote-network, it has to be specified there where normally the source is located in an ACL.
This way of configuration is really a PITA, as the ASDM also doesn't display them correctly. I really hope cisco will implement in- and outgoing vpn-filter as it's possible on the IOS-router.