How do I filter VPN traffic?

Discussion in 'Cisco' started by Brian P., Apr 26, 2006.

  1. Brian P.

    Brian P. Guest

    Hi

    We have an ASA5510 where I need to limit access through a VPN tunnel to
    accept only FTP traffic.

    How do I do that?

    If I choose to do it in the VPN access-lists, I got a warning.

    A person told me to accept all traffic through the VPN tunnel, and then
    make a separate access-list
    where I accept only FTP traffic.

    But how do I do that?

    Shall I assign that access-list to outside interface or to inside
    interface?

    Please show me an example.


    Thanks

    Brian P.
    Brian P., Apr 26, 2006
    #1
    1. Advertising

  2. Brian P.

    AM Guest

    Brian P. wrote:
    > Hi
    >
    > We have an ASA5510 where I need to limit access through a VPN tunnel to
    > accept only FTP traffic.


    I can tell how a PIX525 with 6.3(4) works.It should work for the ASA too, as that behavior is the same between PIX 7.0.x
    and 6.3(4), and ASA and PIX for the most aspects share most of the rules set.

    Check whether the "sysopt connection permit-ipsec" is disabled. Type "no sysopt connection permit-ipsec". If that option
    is enabled the traffic coming from the IPsec tunnels is not matched against the ACL on the interface where the tunnels
    terminate and so all the traffic encrypted passes through the interface unchecked.
    Then if the VPNs terminate on outside interface, treats the traffic coming from the VPNs as it came unprotected from the
    outside interface. Obviously you must merge the new rules with those already present in the access list applied to the
    outside interface

    HTH.

    Alex.
    AM, Apr 26, 2006
    #2
    1. Advertising

  3. Brian P.

    Kevin Widner Guest

    Hi

    We have an ASA5510 where I need to limit access through a VPN tunnel to
    accept only FTP traffic.

    How do I do that?

    If I choose to do it in the VPN access-lists, I got a warning.

    A person told me to accept all traffic through the VPN tunnel, and then
    make a separate access-list
    where I accept only FTP traffic.

    But how do I do that?

    Shall I assign that access-list to outside interface or to inside
    interface?

    Please show me an example.

    Thanks

    Brian P.

    >>>>>>>>>



    group-policy VPN-Policy attributes
    vpn-filter value vpn_access_list


    Then create an acl named "vpn_access_list" in the case of this example.
    This doesn't work for webvpn connection as far as I know, but for
    standard IPSec tunnels it should work.
    Kevin Widner, Apr 26, 2006
    #3
  4. * Kevin Widner wrote:
    > If I choose to do it in the VPN access-lists, I got a warning.


    Of course. VPN "access-lists" are protocol identifiers, but not filters.

    > A person told me to accept all traffic through the VPN tunnel, and then
    > make a separate access-list where I accept only FTP traffic.


    Correct.

    > But how do I do that?


    access-group ...

    > Shall I assign that access-list to outside interface or to inside
    > interface?


    Assigne the list to the approbriate interface.
    Lutz Donnerhacke, Apr 26, 2006
    #4
  5. Brian P.

    Brian P. Guest

    Thanks for all your help .... now I can filter properly :)


    B.R.

    Brian P.
    Brian P., May 1, 2006
    #5
  6. Brian P.

    staticprop

    Joined:
    Mar 9, 2011
    Messages:
    1
    VPN Filter

    This information was very helpful to me as well.

    The commands I used to make a VPN ACL are below.

    group-policy DfltGrpPolicy attributes

    access-list my-restrictions extended permit ip any host 192.168.0.# log
    access-list my-restrictions extended permit ip any host 192.168.0.# log
    access-list my-restrictions extended permit ip any host 192.168.0.# log
    access-list my-restrictions extended permit tcp any host 192.168.0.# eq 3389 log
    access-list my-restrictions extended deny ip any any

    group-policy DfltGrpPolicy attributes
    vpn-filter value my-restrictions
    access-group my-restrictions in interface LAB

    Thank you.
    staticprop, Mar 9, 2011
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    983
  2. john

    UV Protector filter vs. Skylight filter?

    john, Jun 26, 2004, in forum: Digital Photography
    Replies:
    8
    Views:
    21,472
  3. Ken

    to filter of not to filter

    Ken, Dec 23, 2005, in forum: Digital Photography
    Replies:
    2
    Views:
    359
  4. Stimp

    Polarising filter with UV filter?

    Stimp, Nov 15, 2006, in forum: Digital Photography
    Replies:
    23
    Views:
    892
  5. Evolution
    Replies:
    1
    Views:
    826
    Walter Roberson
    Feb 27, 2007
Loading...

Share This Page