cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3133
Views
0
Helpful
3
Replies
Highlighted
Beginner

VPN Interesting Traffic ACL

We have a pair of ASA 5545-X firewalls as our Prod ASA. The prod ASA has a global ACL and an ACL for EIGRP advertisements. In addition to that we have a VPN Filter ACL and an interesting traffic matching ACL. It seems the ASA matches the global ACL first and then gets to the interesting traffic ACL.


We built an IPSec tunnel from our prod ASA to a company that does Internet proxy. The interesting traffic for this was 10.10.10.0/24 source to any destination on ports 80,443. 


We found out this does not work without a global ACL entry that permits 10.10.10.0/24 to any. 


Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?

3 REPLIES 3
Highlighted
Cisco Employee

Hi Devavrat ,

You can use IP based access-list to allow the traffic through the tunnel and restrict the further communication via VPN filters. These filters assist with port based restriction for through the tunnel traffic.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

 

Regards,
Dinesh Moudgil
 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Highlighted

Thank you Karsten and Dinesh. I am using a VPN filter and have that applied to my group-policy too. I am not sure how to work around the global ACL. I also noticed I need to move my nat statements below the object NATs. 

Highlighted
VIP Mentor

 >Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?

Yes, first the traffic hits the ASA and the inbound interface/global ACLs decide if the packets are processed any further. If yes, after a couple of steps the packets are routed to the outbound interface where the crypto map is applied. Now the crypto-ACL with the interesting traffic jumps in and compares the packets to this ACL to decide if the traffic needs IPsec protection or not.
 
Content for Community-Ad