Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
0
Helpful
2
Replies

vpn-filter seems to work in both directions

Go to solution
tpospisil
Level 1
Level 1

‎04-20-2012 02:29 AM

I have ASA 5520, Version 8.4(3)

I have configured site to site VPN with vpn-filter for filtering communication

I am using this example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

VPN connection did not work, therefore I implement last line at my vpn-filter ACL:

access-list acl-L2L-ORANGE extended deny ip any any log notifications interval 60

I am very confused, because I have got syslog message:

%ASA-5-106102: access-list acl-L2L-ORANGE denied tcp for user '<unknown>' inside/10.1.61.51(60748) -> outside/213.151.208.154(4490)

This seems to me, that vpn-filter do filter my inside to outside communication.

Communication which is sent from inside TO the tunnel.

Even worse, my ACL include this line

access-list acl-L2L-ORANGE line 1 extended permit tcp host 10.1.61.51 host 213.151.208.154 (hitcnt=0)

How it could be possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tpospisil

‎04-20-2012 05:02 AM

Hi,

If you want to get rid of the problems and possible complexity of using VPN filter access-lists you could issue the following command

no sysopt connection permit-vpn

What this would do is that all connections from the remote site of the L2L VPN would be subjected to access-list rule check on the outside interface of your ASA the same way your local networks traffic heading for the L2L VPN remote site is checked by your inside interfaces access-list

Though if you go down this road you will have to take into consideration that you will have to open traffic for possible existing VPN connections (Client and L2L VPN) on your outside interface access-list before you issue the above command.

Atleast this way you wont run into the problem that you actually open more than you were expecting with the VPN filter type ACL. And as I said it doesnt get quite as complicated to manage.

I do have to say though that I do use both ways depending on the environment I am configuring.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
tpospisil
Level 1
Level 1

‎04-20-2012 03:18 AM

I found the answer here:

https://supportforums.cisco.com/message/3321413#3321413

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tpospisil

‎04-20-2012 05:02 AM

Hi,

If you want to get rid of the problems and possible complexity of using VPN filter access-lists you could issue the following command

no sysopt connection permit-vpn

What this would do is that all connections from the remote site of the L2L VPN would be subjected to access-list rule check on the outside interface of your ASA the same way your local networks traffic heading for the L2L VPN remote site is checked by your inside interfaces access-list

Though if you go down this road you will have to take into consideration that you will have to open traffic for possible existing VPN connections (Client and L2L VPN) on your outside interface access-list before you issue the above command.

Atleast this way you wont run into the problem that you actually open more than you were expecting with the VPN filter type ACL. And as I said it doesnt get quite as complicated to manage.

I do have to say though that I do use both ways depending on the environment I am configuring.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents