Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
3
Replies

VPN with more than one filter / nested ACL

dredlord44
Level 1
Level 1

‎02-17-2014 03:26 AM

Dear All,

Is there a way to assign more than one ACL to a VPN profile or implement a nested ACL structure?

I am trying to avoid modifing a large list of ACLs to insert the same ACE in each ACL bound to different VPN profiles.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 03:34 AM

Hi,

If we are talking about ASAs and VPN Filter ACLs then have you considered the option where you change the global setting

NOTE: The below setting should not be changed unless you know its effects in your environment

sysopt connection permit-vpn

to

no sysopt connection permit-vpn

So that you can handle all access control on your external interfaces interface ACL rather than with separate VPN Filter ACLs?

Naturally in an existing environment this might be a bit tricky to implement as BEFORE changing the above setting you would have to make sure that all the traffic required (or everything) from the VPN connections is allowed in the interface ACL.

Implementing this would eventually let you modify a single ACL (the external interface ACL) for all the rules that should apply to connections initiated from behind VPN Connections.

- Jouni

0 Helpful

dredlord44
Level 1
Level 1
In response to Jouni Forss

‎02-17-2014 03:38 AM

This would not fall in line with our requirements since the filters are all business specific and hence have separate access rules which would be a bit complex to regulate with a interface ACL.

My research with regards to nested ACLs has not proved fruitful hence I believe this option does not exist as yet.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to dredlord44

‎02-17-2014 03:58 AM

Hi,

I know only the few basics ways to control the VPN users traffic they basically are

  • Changing the global "sysopt" setting and controlling all user traffic on the external interface ACL
  • Use separate VPN Filter ACLs
  • If using subinterfaces for local interfaces then tie the VPN connection to a specific Vlan which would allow connectivity only towards that Vlan subinterface for those VPN users.

In some cases we might use a separate device to do the access control.

But I guess if the requirement is to have a specific ACL for each VPN user group then the original suggestion is not an option for you.

I was just thinking that using the same ACL would make it easier to generate the new configuration addiotion. Atleast in the sense that the ACL name for each rule would be the same. If you didnt make too broad ACL rules it would not really allow any connectivity between the different networks involved though that would also depend on the NAT configurations, not just the ACL.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents