Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
0
Helpful
4
Replies

VPN site-to-site IPsec filter port

Go to solution
Diego Gomes
Level 1
Level 1

‎07-20-2015 03:29 PM - edited ‎02-21-2020 08:21 PM

Hello guys!

I have configured a VPN Site-to-Site, as follow: (for access list)

Local: 192.168.0.0/24

Remote: 10.0.0.0/24

So, I have this configuration:

access-list VPN-Test line 1 extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

 

But, I would like to allow just tcp/80 from my Remote to connect in my Local. (because now, 10.0.0.0/24 can access all in my 192.168.0.0/24)

 

How can I do it? (I tried changing the access-list VPN-Test under ASDM, Configuration, ACL Manager, but no way)

 

Should I create a rule in the outside interface, like:

source: 10.0.0.0/24

dst: 192.168.0.0/24

protocol: tcp/80

 

How can I do it?

 

Thanks,


Diego

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-20-2015 03:55 PM

By default, the outside ACL is not evaluated for VPN-traffic. Instead you configure a new ACL that gets applied as a "vpn-filter" to the group-policy for your connection.

access-list VPN-FILTER-XXX permit tcp any any eq 80
!
group-policy GP-VPN-XXX attributes
  vpn-filter value VPN-FILTER-XXX
!
tunnel-group a.b.c.d type general-attributes
 default-group-policy GP-VPN-XXX

In the ACL you don't need to specify the networks, as the tunnel can't transport anything other what is specified in the crypto-ACL. But of course you can specify them if you want:

access-list VPN-FILTER-XXX permit tcp 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎07-20-2015 03:55 PM

By default, the outside ACL is not evaluated for VPN-traffic. Instead you configure a new ACL that gets applied as a "vpn-filter" to the group-policy for your connection.

access-list VPN-FILTER-XXX permit tcp any any eq 80
!
group-policy GP-VPN-XXX attributes
  vpn-filter value VPN-FILTER-XXX
!
tunnel-group a.b.c.d type general-attributes
 default-group-policy GP-VPN-XXX

In the ACL you don't need to specify the networks, as the tunnel can't transport anything other what is specified in the crypto-ACL. But of course you can specify them if you want:

access-list VPN-FILTER-XXX permit tcp 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

 

0 Helpful

Go to solution
Diego Gomes
Level 1
Level 1
In response to Karsten Iwen

‎07-20-2015 06:11 PM

Hi Karsten!

Thanks for your answer. I will check it tomorrow.

So, I can understant that, by default, all traffic is allowed, since I do that configuration you told me.

I remember in my last company, I was able to configure the outside to allow or deny the traffic, I did not need to change the group policy (or maybe am I wrong?)

 

Thanks,

 

Diego

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Diego Gomes

‎07-20-2015 11:29 PM

Comparing the decrypted Traffic against the outside ACL was the default in older releases. If you want, you can restore this old default with the following command:

no sysopt connection permit-vpn

or

no sysopt connection permit-ipsec

(depends on the ASA version you are running)

0 Helpful

Go to solution
Diego Gomes
Level 1
Level 1
In response to Karsten Iwen

‎07-22-2015 11:43 AM

Thanks Karsten!

 

Everything ok!

 

Diego

0 Helpful
Customers Also Viewed These Support Documents