Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5061
Views
0
Helpful
3
Replies

VPN Interesting Traffic ACL

Devavrat Oka
Level 1
Level 1

‎07-28-2015 10:29 AM

We have a pair of ASA 5545-X firewalls as our Prod ASA. The prod ASA has a global ACL and an ACL for EIGRP advertisements. In addition to that we have a VPN Filter ACL and an interesting traffic matching ACL. It seems the ASA matches the global ACL first and then gets to the interesting traffic ACL.


We built an IPSec tunnel from our prod ASA to a company that does Internet proxy. The interesting traffic for this was 10.10.10.0/24 source to any destination on ports 80,443. 


We found out this does not work without a global ACL entry that permits 10.10.10.0/24 to any. 


Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?

Labels:
0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-28-2015 11:07 AM

Hi Devavrat ,

You can use IP based access-list to allow the traffic through the tunnel and restrict the further communication via VPN filters. These filters assist with port based restriction for through the tunnel traffic.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

 

Regards,
Dinesh Moudgil
 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Devavrat Oka
Level 1
Level 1
In response to Dinesh Moudgil

‎07-29-2015 08:16 AM

Thank you Karsten and Dinesh. I am using a VPN filter and have that applied to my group-policy too. I am not sure how to work around the global ACL. I also noticed I need to move my nat statements below the object NATs. 

0 Helpful

Karsten Iwen
VIP
VIP

‎07-28-2015 11:41 PM

 >Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?

Yes, first the traffic hits the ASA and the inbound interface/global ACLs decide if the packets are processed any further. If yes, after a couple of steps the packets are routed to the outbound interface where the crypto map is applied. Now the crypto-ACL with the interesting traffic jumps in and compares the packets to this ACL to decide if the traffic needs IPsec protection or not.
 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents