Cisco ASA VPN Lan2Lan Filtering

I have setup a Lan2Lan VPN between a Cisco ASA 5520 and a Linux Box.
Everything works fine with the default configuration.
I want to filter specific ip's from the Linux lan side accessing specific ip's to the Asa Lan.

I have setup VPN filter's to the ASA and the work fine, BUT i cannot access any pc on the Linux lan side.
Wherever i try to connect to a box that is behind the linux firewall i get this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Any solutions ?
deal88Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deal88Author Commented:
I found the solution about 5 hours ago and thank god your answer confirmed me.

Although i cannot understand how PFS is affecting all this...

Thanx for your reply.
0
netcrewCommented:
hi , ive got the same problem, but on my side it doesnt matter, if i use PFS or not, i still get those errors on inside interface.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

TRS TRSCommented:
Do you have PFS disabled on both Interfaces ?

Do you use ASA's, or routers  for L2L VPN ?
0
netcrewCommented:
hi i use ASA on both, disabled PFS on both, otherwise i could establish a tunnel for a long time.
its totaly strange.

i want to limit incoming traffic from a remote tunnel, i do this via a policy group-mapped to an acl and to a tunnel-group.

For example:

local: 192.168.1.0 255.255.255.0
remote: 192.168.2.0 255.255.255.0
access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0
access-group inside in interface inside

access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
group-policy tunnelpol att vpn-filter tunnel-data

tunnel-group tunnelgrp gen default-group-policy tunnelpol

sysopt connection permit-vpn

No data Flows, i get the error: Deny inbound tcp 80 src inside 192.168.1.1 to 192.168.2.1 on interface inside

if i add this: access-list tunnel-data permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 all traffic flows in both directions, but i only want to allow from local to remote ALL and from remote to LOCAL only 80 tcp.

stateful everything should flow (ACKs from Remote), but SYN only from SOURCE.

iam getting crazy....

0
TRS TRSCommented:
Don't :P

When you apply a filter rule it works biderectional.

e.g if you apply a filter rule that specifies that remote lan can see a server in your local lan in port 80, then the server that exists in your local lan is able to see the remote lan ONLY in port 80.

So, this rule access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

tells to asa to permit biderectional traffic only on port 80 from both sides.

If you want to administer the remote lan from your pc or group of pc's from your local lan then you have to create a rule like:

access-list tunnel-data permit tcp 192.168.2.0 255.255.255.0 192.168.1.5 255.255.255.0 eq ip

Make sure that the first network is always the remote net in this case 192.168.2.0.

I
0
netcrewCommented:
but i want that my lan can see anything (eq ip) and the remotesite can only !!! answer (ACK), and SYN on PORT 80, like:
LOCAL -> SYN IP ALL > REMOTE
REMOTE -> ACK ALL > LOCAL
REMOTE -> SYN ONLY TCP 80 -> LOCAL
thx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.