02-08-2013 01:55 PM
I was wondering if there is a way to only allow one side of a vpn tunnel to create connections?
Example I have a vpn tunnel going to a site with servers that I manage. I want to be able to get to the servers (through rdp, ssh, etc) and allow return traffic but I don't want the servers to be able to reach me (through rdp, ssh, etc).
Any ideas?
I am using a cisco ASA5540
Solved! Go to Solution.
02-08-2013 02:05 PM
Hi,
You have alteast 2 possibilities
If this is something you are looking for I can tell you how to achieve either of them.
- Jouni
02-08-2013 02:05 PM
Hi,
You have alteast 2 possibilities
If this is something you are looking for I can tell you how to achieve either of them.
- Jouni
02-08-2013 03:21 PM
Thanks for your help. I found a walk through on how to do the first option. Thanks again.
02-08-2013 03:40 PM
Thanks again Jouni. I have one more question for you with creating the ACL for a vpn filter to make sure I am dong it correctly.
Say I want to block traffic from 2.2.2.2 from reaching 1.1.1.1 but allow 1.1.1.1 to access 2.2.2.2. Would this be correct for the access list?
access-list VPN_FILTER extended deny ip host 2.2.2.2 host 1.1.1.1 (or just leave it for the implicit deny)
access-list VPN_FILTER extended allow ip host 1.1.1.1 host 2.2.2.2
Thanks
02-08-2013 03:53 PM
Hi,
As I said, the L2L VPN Filter ACL follows a bit different logic than the interface ACL.
To my knowledge the L2L VPN Filter ACL must be configured so that the remote network is always the "source" address in the ACL rule.
So for example lets take the following scenario
The L2L VPN Filter ACL would look like this
access-list L2L-VPN-FILTER remark Local -> Remote TCP/3389
access-list L2L-VPN-FILTER permit tcp host 10.10.20.20 eq 3389 host 10.10.10.10
access-list L2L-VPN-FILTER remark Remote -> Local TCP/80
access-list L2L-VPN-FILTER permit tcp host 10.10.20.20 host 10.10.10.10 eq 80
It is a bit confusing format as the ACL needs to always have the Remote network/host as the source address.
I personally dont like the L2L VPN Filter ACL that much and I tend to disable the setting that lets VPN traffic bypass "outside" interface ACL and just control the traffic in a normal interface ACL which is a lot simpler.
- Jouni
02-08-2013 03:57 PM
Thanks for the quick reply. You have been very helpful. How would I disable the setting that lets vpn traffic bypass the "outside" interface?
Thanks
02-08-2013 04:04 PM
Hi,
In my software level the command would be "no sysopt connection permit-vpn". This is the new format of the command. Some older softwares might have a slightly different format of this command.
In the event its different on your ASA you should be able to find the correct one on the CLI while browsing "sysopt ?" and so on.
Notice that when you issue the "no" form of the command it will then disable the feature and every host connecting behind a VPN connection will need ACL rules on the "outside" interface ACL to traffic to get through the ASA. This will apply to existing VPN Client traffic as well as L2L VPN.
- Jouni
02-08-2013 05:35 PM
Thanks again for all of your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: