Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1846
Views
0
Helpful
6
Replies

VPN Filter for Hairpin VPNs

Go to solution
jeff6strings
Level 1
Level 1

‎07-03-2012 10:51 AM

We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate.

A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning).

The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet. I would appreciate any assistance.

Corporate office: 10.0.0.0 255.0.0.0

Remote office: 172.20.1.0 255.255.255.0

Vendor network: 192.168.0.0 255.255.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 23

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

group-policy Vendor-filter-policy internal

group-policy Vendor-filter-policy attributes

vpn-filter value Vendor-filter

tunnel-group xxx.xxx.xxx.xxx general-attributes

default-group-policy Vendor-filter-policy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-03-2012 07:41 PM

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-03-2012 07:41 PM

The VPN Filter ACl should be as follows:

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

access-list Vendor-filter extended permit tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Jennifer Halim

‎07-04-2012 08:33 AM

Jennifer, thanks for the reply. This scenario is the same as the following discussion as I thought it was a good idea to post another discussion since it's a different issue:

https://supportforums.cisco.com/message/3666021#3666021

Thanks for the reply.

Jeff

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jeff6strings

‎07-04-2012 06:53 PM

Hey Jeff,

Yes, I remember that

Does the VPN Filter work now?

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Jennifer Halim

‎07-05-2012 08:43 AM

Jennifer, I haven't had the opportunity to apply and test but I will soon and let you know thank you.

Jeff

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Jennifer Halim

‎07-04-2012 10:52 AM

To understand this vpn-filter-ACL. it's important to know, that they do not use source and destination, but remote and local. Because the port 23 for the connection to the vendor is used on the remote-network, it has to be specified there where normally the source is located in an ACL.

This way of configuration is really a PITA, as the ASDM also doesn't display them correctly. I really hope cisco will implement in- and outgoing vpn-filter as it's possible on the IOS-router.

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2012 08:44 AM

Karsten, thanks for the post.

Jeff

0 Helpful
Customers Also Viewed These Support Documents