[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 615
  • Last Modified:

Cisco ASA VPN Lan2Lan Filtering

I have setup a Lan2Lan VPN between a Cisco ASA 5520 and a Linux Box.
Everything works fine with the default configuration.
I want to filter specific ip's from the Linux lan side accessing specific ip's to the Asa Lan.

I have setup VPN filter's to the ASA and the work fine, BUT i cannot access any pc on the Linux lan side.
Wherever i try to connect to a box that is behind the linux firewall i get this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Any solutions ?
0
deal88
Asked:
deal88
1 Solution
 
deal88Author Commented:
I found the solution about 5 hours ago and thank god your answer confirmed me.

Although i cannot understand how PFS is affecting all this...

Thanx for your reply.
0
 
netcrewCommented:
hi , ive got the same problem, but on my side it doesnt matter, if i use PFS or not, i still get those errors on inside interface.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
TRS TRSCommented:
Do you have PFS disabled on both Interfaces ?

Do you use ASA's, or routers  for L2L VPN ?
0
 
netcrewCommented:
hi i use ASA on both, disabled PFS on both, otherwise i could establish a tunnel for a long time.
its totaly strange.

i want to limit incoming traffic from a remote tunnel, i do this via a policy group-mapped to an acl and to a tunnel-group.

For example:

local: 192.168.1.0 255.255.255.0
remote: 192.168.2.0 255.255.255.0
access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0
access-group inside in interface inside

access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
group-policy tunnelpol att vpn-filter tunnel-data

tunnel-group tunnelgrp gen default-group-policy tunnelpol

sysopt connection permit-vpn

No data Flows, i get the error: Deny inbound tcp 80 src inside 192.168.1.1 to 192.168.2.1 on interface inside

if i add this: access-list tunnel-data permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 all traffic flows in both directions, but i only want to allow from local to remote ALL and from remote to LOCAL only 80 tcp.

stateful everything should flow (ACKs from Remote), but SYN only from SOURCE.

iam getting crazy....

0
 
TRS TRSCommented:
Don't :P

When you apply a filter rule it works biderectional.

e.g if you apply a filter rule that specifies that remote lan can see a server in your local lan in port 80, then the server that exists in your local lan is able to see the remote lan ONLY in port 80.

So, this rule access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

tells to asa to permit biderectional traffic only on port 80 from both sides.

If you want to administer the remote lan from your pc or group of pc's from your local lan then you have to create a rule like:

access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.5 255.255.255.0 eq ip

Make sure that the first network is always the remote net in this case 192.168.2.0.

I
0
 
netcrewCommented:
but i want that my lan can see anything (eq ip) and the remotesite can only !!! answer (ACK), and SYN on PORT 80, like:
LOCAL -> SYN IP ALL > REMOTE
REMOTE -> ACK ALL > LOCAL
REMOTE -> SYN ONLY TCP 80 -> LOCAL
thx
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now