Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How do I filter VPN traffic?

Reply
Thread Tools

How do I filter VPN traffic?

 
 
Brian P.
Guest
Posts: n/a
 
      04-26-2006
Hi

We have an ASA5510 where I need to limit access through a VPN tunnel to
accept only FTP traffic.

How do I do that?

If I choose to do it in the VPN access-lists, I got a warning.

A person told me to accept all traffic through the VPN tunnel, and then
make a separate access-list
where I accept only FTP traffic.

But how do I do that?

Shall I assign that access-list to outside interface or to inside
interface?

Please show me an example.


Thanks

Brian P.

 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      04-26-2006
Brian P. wrote:
> Hi
>
> We have an ASA5510 where I need to limit access through a VPN tunnel to
> accept only FTP traffic.


I can tell how a PIX525 with 6.3(4) works.It should work for the ASA too, as that behavior is the same between PIX 7.0.x
and 6.3(4), and ASA and PIX for the most aspects share most of the rules set.

Check whether the "sysopt connection permit-ipsec" is disabled. Type "no sysopt connection permit-ipsec". If that option
is enabled the traffic coming from the IPsec tunnels is not matched against the ACL on the interface where the tunnels
terminate and so all the traffic encrypted passes through the interface unchecked.
Then if the VPNs terminate on outside interface, treats the traffic coming from the VPNs as it came unprotected from the
outside interface. Obviously you must merge the new rules with those already present in the access list applied to the
outside interface

HTH.

Alex.
 
Reply With Quote
 
 
 
 
Kevin Widner
Guest
Posts: n/a
 
      04-26-2006
Hi

We have an ASA5510 where I need to limit access through a VPN tunnel to
accept only FTP traffic.

How do I do that?

If I choose to do it in the VPN access-lists, I got a warning.

A person told me to accept all traffic through the VPN tunnel, and then
make a separate access-list
where I accept only FTP traffic.

But how do I do that?

Shall I assign that access-list to outside interface or to inside
interface?

Please show me an example.

Thanks

Brian P.

>>>>>>>>>



group-policy VPN-Policy attributes
vpn-filter value vpn_access_list


Then create an acl named "vpn_access_list" in the case of this example.
This doesn't work for webvpn connection as far as I know, but for
standard IPSec tunnels it should work.

 
Reply With Quote
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      04-26-2006
* Kevin Widner wrote:
> If I choose to do it in the VPN access-lists, I got a warning.


Of course. VPN "access-lists" are protocol identifiers, but not filters.

> A person told me to accept all traffic through the VPN tunnel, and then
> make a separate access-list where I accept only FTP traffic.


Correct.

> But how do I do that?


access-group ...

> Shall I assign that access-list to outside interface or to inside
> interface?


Assigne the list to the approbriate interface.

 
Reply With Quote
 
Brian P.
Guest
Posts: n/a
 
      05-01-2006


Thanks for all your help .... now I can filter properly


B.R.

Brian P.


 
Reply With Quote
 
staticprop staticprop is offline
Junior Member
Join Date: Mar 2011
Posts: 1
 
      03-09-2011
This information was very helpful to me as well.

The commands I used to make a VPN ACL are below.

group-policy DfltGrpPolicy attributes

access-list my-restrictions extended permit ip any host 192.168.0.# log
access-list my-restrictions extended permit ip any host 192.168.0.# log
access-list my-restrictions extended permit ip any host 192.168.0.# log
access-list my-restrictions extended permit tcp any host 192.168.0.# eq 3389 log
access-list my-restrictions extended deny ip any any

group-policy DfltGrpPolicy attributes
vpn-filter value my-restrictions
access-group my-restrictions in interface LAB

Thank you.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Polarising filter with UV filter? Stimp Digital Photography 23 11-17-2006 11:51 AM
to filter of not to filter Ken Digital Photography 2 12-23-2005 12:45 PM
UV Protector filter vs. Skylight filter? john Digital Photography 8 06-26-2004 03:44 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM



Advertisments