04-20-2012 02:29 AM
I have ASA 5520, Version 8.4(3)
I have configured site to site VPN with vpn-filter for filtering communication
I am using this example:
VPN connection did not work, therefore I implement last line at my vpn-filter ACL:
access-list acl-L2L-ORANGE extended deny ip any any log notifications interval 60
I am very confused, because I have got syslog message:
%ASA-5-106102: access-list acl-L2L-ORANGE denied tcp for user '<unknown>' inside/10.1.61.51(60748) -> outside/213.151.208.154(4490)
This seems to me, that vpn-filter do filter my inside to outside communication.
Communication which is sent from inside TO the tunnel.
Even worse, my ACL include this line
access-list acl-L2L-ORANGE line 1 extended permit tcp host 10.1.61.51 host 213.151.208.154 (hitcnt=0)
How it could be possible?
Solved! Go to Solution.
04-20-2012 05:02 AM
Hi,
If you want to get rid of the problems and possible complexity of using VPN filter access-lists you could issue the following command
no sysopt connection permit-vpn
What this would do is that all connections from the remote site of the L2L VPN would be subjected to access-list rule check on the outside interface of your ASA the same way your local networks traffic heading for the L2L VPN remote site is checked by your inside interfaces access-list
Though if you go down this road you will have to take into consideration that you will have to open traffic for possible existing VPN connections (Client and L2L VPN) on your outside interface access-list before you issue the above command.
Atleast this way you wont run into the problem that you actually open more than you were expecting with the VPN filter type ACL. And as I said it doesnt get quite as complicated to manage.
I do have to say though that I do use both ways depending on the environment I am configuring.
- Jouni
04-20-2012 03:18 AM
I found the answer here:
04-20-2012 05:02 AM
Hi,
If you want to get rid of the problems and possible complexity of using VPN filter access-lists you could issue the following command
no sysopt connection permit-vpn
What this would do is that all connections from the remote site of the L2L VPN would be subjected to access-list rule check on the outside interface of your ASA the same way your local networks traffic heading for the L2L VPN remote site is checked by your inside interfaces access-list
Though if you go down this road you will have to take into consideration that you will have to open traffic for possible existing VPN connections (Client and L2L VPN) on your outside interface access-list before you issue the above command.
Atleast this way you wont run into the problem that you actually open more than you were expecting with the VPN filter type ACL. And as I said it doesnt get quite as complicated to manage.
I do have to say though that I do use both ways depending on the environment I am configuring.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide