Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
0
Helpful
3
Replies

vpn traffic

john.mason.jr
Level 1
Level 1

‎02-20-2013 11:44 AM

I have been looking all over the place on how to do this.. Maybe I am not searching right... but here we go.

I have a site 2 site tunnel with a 5505 and a 5510. I can pass traffic back and forth, rdp etc.

What I need to do is configure the 5505 to reach all the machines on the other side of the 5510

but

Have all the local machines on the 5510 side not to be able to reach any local machines on the 5505 side.

There are 2 machines on the 5510 that need to reach out to local side of the 5505.

One machines needs smtp access

and the other needs rdp access. and that is it.

I hope this makes sense.. Just a bit confused right now.

Thanks,

Chris

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-20-2013 12:04 PM

Hi,

So I assume your only goal is to limit what connections can be formed through the L2L VPN connection that is already working?

There is atleast 3 options

  • Limit connectivity at each end with ACLs already attached to the interface behind which the users are located.
  • Configure a separate VPN Filter ACL to the L2L VPN connection you have and define there which ports are open and for which hosts/networks
  • One option that I like personally is to change the default behaviour of the ASA and configure "no sysopt connection permit-vpn"
    • While the default setting enables all connections coming through a VPN connection to bypass "outside" interface ACL disabling this setting with the "no" form of the command makes it possible to control traffic on the "outside" interface ACL like any other traffic entering through "outside"
    • When implementing this you will naturally have to take this into account with every single VPN connection you have configured on the ASA in question as this setting is applied globally on the ASA.

Let me know if you need any specifics on something

Hope the information was helpfull

- Jouni

0 Helpful

john.mason.jr
Level 1
Level 1
In response to Jouni Forss

‎02-20-2013 01:30 PM

Yes my goal is to limit connections that are already in place. I have been playing around on my 2 test ASA's

I trying to understand the sysopt connection... but in the meantime....

With the ipsec tunnel in place i have the following acl in place..

outside_cryptomap

     source                       destination                    service          action

     inside(192.168.81.0) 192.168.80.0(outside)          ip               Permit

which I know allows all traffic.if i were to deny then i will loose connection....which i understand that...

So what I am trying to do in my test is just allow rdp.. I have tried a bunch of things and I think I am lost now.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to john.mason.jr

‎02-20-2013 01:50 PM

Hi,

If we are just talking about a test setup and not a production environment then you could enter the command "no sysopt connection permit-vpn" on the ASA

After this you would have to allow connections from the remote site on the ACL that is attached to the "outside" interface of the ASA.

Optionally theres the possibility to use VPN Filter ACL instead of the above approach.

For example you could have the below configuration (Only partial configuration related to the L2L VPN)

What you have to notice with the L2L VPN Filter ACL format is that no matter what direction you are opening the connection, the remote network is ALWAYS the source address in the ACL rule.

In the below case for example I presume that the remote network is 192.168.81.0/24 and the local network is 192.168.80.0/24

The below VPN Filter ACL would allow your local LAN 192.168.80.0/24 to connect to the remote host 192.168.81.100 on the destination port TCP/3389.

The second ACL rule would allow the remote network to connect to the local host 192.168.80.100 on the destination port TCP/25 (SMTP)

It would block all the rest of the connections.

  • First you configure the VPN Filter ACL
  • You then attach it to a group-policy (if no group-policy created for L2L VPN then you need to make a new one)
  • You then attach that group-policy to the L2L VPN tunnel-group

access-list L2L-VPN-FILTER permit tcp 192.168.81.100 eq 3389 192.168.80.0 255.255.255.0

access-list L2L-VPN-FILTER permit tcp 192.168.81.0 255.255.255.0 host 192.168.80.100 eq smtp

group-policy L2L-VPN-POLICY internal

group-policy L2L-VPN-POLICY attributes

vpn-filter value L2L-VPN-FILTER

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy L2L-VPN-POLICY

- Jouni

0 Helpful
Customers Also Viewed These Support Documents