Search this Blog

Tuesday, August 24, 2010

VPN-filter question in 8.2.3 or 8.3.2-where the source is in the src_ip and the destination is in the dest_ip positions of the syntax?

There is a 2008 document titled "PIX/ASA 7.x and Later:VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" found here: PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

In it is written:

When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

This has always been because in every other Cisco product, ACLs are constructed with the source being in the src_ip - the first position - of the ACL syntax.
Has this been changed in either 8.2.3 or 8.3.2 to follow the normal ACL syntax - where the source is in the src_ip and the destination is in the dest_ip positions of the syntax?

The reason why we want to use a vpn_filter is to limit what traffic can initiate the tunnel and bring it up. Say I want local host A to open a tcp sockets connection to remote host B on tcp port 104. I want only tcp 104 from A to B to bring the tunnel up. we don't want any IP to bring the tunnel up and then have to restrict traffic to only tcp 104 after the tunnel is up. The way the vpn-filter ACL syntax seems to work then - since it's bidirectional - is it will allow host B to bring the tunnel up too.

access-list permit host B 104 host A (this will allow both host A and B to bring the tunnel up?)

How do we do a L2L config where only local host A opening a tpc 104 connection to remote host B will bring the tunnel up? Or is this not possible with the ASA?

Tips:

The idea for a vpn-filter was to pemit or deny particular certain traffic entering the security device through vpn based on criteria such as source address, destination address, and protocol. Hence the access-list configuration is different from the normal access-list configured on the ASA. So it basically considers the traffic sourced from the remote end to the internal network behind the ASA to matched for filtering hence the reversal of source and destination. This has not changed in 8.2.3 or 8.3.2. So you would not be able to restrict what traffic brings up the tunnel using vpn-filters.

Better option would be to have an access-list on the inside interface of side A allowing traffic from host A to B only on tcp 104 and not on other ports.

Also, if you would like only Site A (which has host A) to initiate the tunnel and not Site B (which has host B), you will need to add the following command to the crypto map on Site B: Please find the reference link here.

That is, Site B should be answer-only. Hence, Site B will no initiate the tunnel.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */