01-27-2012 07:44 AM
Hi,
if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
Thanks
Solved! Go to Solution.
01-27-2012 09:29 AM
Turn on this command and remove the statement and then try-
config#sysopt connection permit-vpn
Thanks
Ajay
01-27-2012 08:57 AM
Your question is not very clear to me .However if you mean to say you need extra ACL for VPN then answer is yes - You need to call ACL for crypto as well for nat exempt while configuring Site To Site VPN.
Thanks
Ajay
01-27-2012 09:00 AM
yep apart from the ACL (that is encrypted in the tunnel) do we need any extra acl to allow access to the specific ports. (please note that in the extended acl for the vpn i have allowed ip traffic which means all traffic) but i have had to put in an extra acl apart from the first one and mention the port numbers. not sure why ? (i thought the acl in the security policy tab are needed only for non vpn traffic
01-27-2012 09:08 AM
There are two way you can filter traffic which is moving over VPN.
1) Filter at source ofcourse ACLs are required.
For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where 10.0.0.0/24 is configured .Lets assume port 80 we want to deny.
ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
permit any any
acess-group xxxx in inside
So this will deny port 80 and permit rest of the traffic.
2) You can configure VPN filter which is called under group policy .
Thanks
Ajay
01-27-2012 09:21 AM
the norrmal access list that you allow through the tunnel would be
access-list outside_10_cryptomap extended permit ip 10.10.10.0 255.255.255.255.0 20.20.20.0 255.255.255.0
now i have allowed ip between 10.10.10.0 and 20.20.20.0 subnets (either side of the tunnel)
now if i want to allow port 15000, i thought since i am allowing ip it should work but i had to put in accesslist as:
access-list OUTSIDE_IN extended permit tcp host 10.10.10.10 host 20.20.20.20 eq 15000
so i am not sure why the above OUTSIDE_IN statement would be needed as ip is allowed through the tunnel ?
01-27-2012 09:29 AM
Turn on this command and remove the statement and then try-
config#sysopt connection permit-vpn
Thanks
Ajay
01-27-2012 09:41 AM
thanks for this but unfortunetly i cant test this as its in production. but what does this command do ?
01-27-2012 09:59 AM
It bypass ACL configured on interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide