Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
7
Replies

VPN Tunnel Access Question

Go to solution
johnnywi43
Level 1
Level 1

‎02-08-2013 01:55 PM

I was wondering if there is a way to only allow one side of a vpn tunnel to create connections?

Example I have a vpn tunnel going to a site with servers that I manage. I want to be able to get to the servers (through rdp, ssh, etc) and allow return traffic but I don't want the servers to be able to reach me (through rdp, ssh, etc).

Any ideas?

I am using a cisco ASA5540

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-08-2013 02:05 PM

Hi,

You have alteast 2 possibilities

  • You can configure a VPN Filter ACL on the L2L VPN connection
    • In the long run a somewhat messier solution. Mostly due to the L2L VPN Filter ACL having a slightly different configuration format than the usual interface ACL
  • You can disable (if not already disabled) the feature that lets all traffic entering from a VPN Connection bypass your "outside" interface ACL. This way you can control the traffic entering from the L2L VPN with the "outside" interface ACL.
    • connections are allowed like any other connection from Internet in the "outside" interface ACL so its pretty simply to manage.

If this is something you are looking for I can tell you how to achieve either of them.

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-08-2013 02:05 PM

Hi,

You have alteast 2 possibilities

  • You can configure a VPN Filter ACL on the L2L VPN connection
    • In the long run a somewhat messier solution. Mostly due to the L2L VPN Filter ACL having a slightly different configuration format than the usual interface ACL
  • You can disable (if not already disabled) the feature that lets all traffic entering from a VPN Connection bypass your "outside" interface ACL. This way you can control the traffic entering from the L2L VPN with the "outside" interface ACL.
    • connections are allowed like any other connection from Internet in the "outside" interface ACL so its pretty simply to manage.

If this is something you are looking for I can tell you how to achieve either of them.

- Jouni

0 Helpful

Go to solution
johnnywi43
Level 1
Level 1
In response to Jouni Forss

‎02-08-2013 03:21 PM

Thanks for your help. I found a walk through on how to do the first option. Thanks again.

0 Helpful

Go to solution
johnnywi43
Level 1
Level 1
In response to Jouni Forss

‎02-08-2013 03:40 PM

Thanks again Jouni. I have one more question for you with creating the ACL for a vpn filter to make sure I am dong it correctly.

Say I want to block traffic from 2.2.2.2 from reaching 1.1.1.1 but allow 1.1.1.1 to access 2.2.2.2. Would this be correct for the access list?

access-list VPN_FILTER extended deny ip host 2.2.2.2 host 1.1.1.1 (or just leave it for the implicit deny)

access-list VPN_FILTER extended allow ip host 1.1.1.1 host 2.2.2.2

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to johnnywi43

‎02-08-2013 03:53 PM

Hi,

As I said, the L2L VPN Filter ACL follows a bit different logic than the interface ACL.

To my knowledge the L2L VPN Filter ACL must be configured so that the remote network is always the "source" address in the ACL rule.

So for example lets take the following scenario

  • local host 10.10.10.10
  • remote host 10.10.20.20
  • local host needs to reach remote host on TCP/3389
  • remote host needs to reach local host on TCP/80

The L2L VPN Filter ACL would look like this

access-list L2L-VPN-FILTER remark Local -> Remote TCP/3389

access-list L2L-VPN-FILTER permit tcp host 10.10.20.20 eq 3389 host 10.10.10.10

access-list L2L-VPN-FILTER remark Remote -> Local TCP/80

access-list L2L-VPN-FILTER permit tcp host 10.10.20.20 host 10.10.10.10 eq 80

It is a bit confusing format as the ACL needs to always have the Remote network/host as the source address.

I personally dont like the L2L VPN Filter ACL that much and I tend to disable the setting that lets VPN traffic bypass "outside" interface ACL and just control the traffic in a normal interface ACL which is a lot simpler.

- Jouni

0 Helpful

Go to solution
johnnywi43
Level 1
Level 1
In response to Jouni Forss

‎02-08-2013 03:57 PM

Thanks for the quick reply. You have been very helpful. How would I disable the setting that lets vpn traffic bypass the "outside" interface?

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to johnnywi43

‎02-08-2013 04:04 PM

Hi,

In my software level the command would be "no sysopt connection permit-vpn". This is the new format of the command. Some older softwares might have a slightly different format of this command.

In the event its different on your ASA you should be able to find the correct one on the CLI while browsing "sysopt ?" and so on.

Notice that when you issue the "no" form of the command it will then disable the feature and every host connecting behind a VPN connection will need ACL rules on the "outside" interface ACL to traffic to get through the ASA. This will apply to existing VPN Client traffic as well as L2L VPN.

- Jouni

0 Helpful

Go to solution
johnnywi43
Level 1
Level 1
In response to Jouni Forss

‎02-08-2013 05:35 PM

Thanks again for all of your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents