02-20-2013 11:44 AM
I have been looking all over the place on how to do this.. Maybe I am not searching right... but here we go.
I have a site 2 site tunnel with a 5505 and a 5510. I can pass traffic back and forth, rdp etc.
What I need to do is configure the 5505 to reach all the machines on the other side of the 5510
but
Have all the local machines on the 5510 side not to be able to reach any local machines on the 5505 side.
There are 2 machines on the 5510 that need to reach out to local side of the 5505.
One machines needs smtp access
and the other needs rdp access. and that is it.
I hope this makes sense.. Just a bit confused right now.
Thanks,
Chris
02-20-2013 12:04 PM
Hi,
So I assume your only goal is to limit what connections can be formed through the L2L VPN connection that is already working?
There is atleast 3 options
Let me know if you need any specifics on something
Hope the information was helpfull
- Jouni
02-20-2013 01:30 PM
Yes my goal is to limit connections that are already in place. I have been playing around on my 2 test ASA's
I trying to understand the sysopt connection... but in the meantime....
With the ipsec tunnel in place i have the following acl in place..
outside_cryptomap
source destination service action
inside(192.168.81.0) 192.168.80.0(outside) ip Permit
which I know allows all traffic.if i were to deny then i will loose connection....which i understand that...
So what I am trying to do in my test is just allow rdp.. I have tried a bunch of things and I think I am lost now.
02-20-2013 01:50 PM
Hi,
If we are just talking about a test setup and not a production environment then you could enter the command "no sysopt connection permit-vpn" on the ASA
After this you would have to allow connections from the remote site on the ACL that is attached to the "outside" interface of the ASA.
Optionally theres the possibility to use VPN Filter ACL instead of the above approach.
For example you could have the below configuration (Only partial configuration related to the L2L VPN)
What you have to notice with the L2L VPN Filter ACL format is that no matter what direction you are opening the connection, the remote network is ALWAYS the source address in the ACL rule.
In the below case for example I presume that the remote network is 192.168.81.0/24 and the local network is 192.168.80.0/24
The below VPN Filter ACL would allow your local LAN 192.168.80.0/24 to connect to the remote host 192.168.81.100 on the destination port TCP/3389.
The second ACL rule would allow the remote network to connect to the local host 192.168.80.100 on the destination port TCP/25 (SMTP)
It would block all the rest of the connections.
access-list L2L-VPN-FILTER permit tcp 192.168.81.100 eq 3389 192.168.80.0 255.255.255.0
access-list L2L-VPN-FILTER permit tcp 192.168.81.0 255.255.255.0 host 192.168.80.100 eq smtp
group-policy L2L-VPN-POLICY internal
group-policy L2L-VPN-POLICY attributes
vpn-filter value L2L-VPN-FILTER
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy L2L-VPN-POLICY
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide