Cisco ASA Site-to-Site VPN filtering Web Traffice

Posted on 2009-12-24
Medium Priority
Last Modified: 2012-08-13
We have a Site-to-Site VPN set up with one of our clients. We both need access to an internal website each others network.  I am trying to set up a filter to only allow port 80 both ways.  When I apply a filter only allowing port 80, I also have to open up a range of TCP port.  Why and how to get around opening up range of TCP ports.  
Question by:KJWeeks
  • 2
  • 2
LVL 13

Expert Comment

ID: 26119809
Not quite understand why "When I apply a filter only allowing port 80, I also have to open up a range of TCP port". Do you mean you need to open that range before things starts working? What range you refer to?
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 26121428
The VPN tunnel requires "ip" and and must include both source and destination ports. While destination is always port 80, the source is always ephemeral (random).
I suggest that you use an acl applied to the inside interface to allow all hosts to access their web site and your web server to respond to them.

access-list inside_out permit tcp <local lan> <mask> host a.b.c.d eq 80
access-list inside_out permit tcp host <local web host> eq 80 <remote lan> <mask>
access-list inside_out deny ip <local lan> <mask> <remote lan> <mask>
access-list inside_out permit ip any any

Author Comment

ID: 26131165
I did try that and all traffic coming back block.  I do see the request going to the web server but it's blocked coming back a TCP port.  


Web Serve
Users      192.168.30.X

Remote site
Web Server
Users    10.10.15.X

Current tunnel
Allow only And  to\16

ACL's I'm trying to build.  
Allow to www
Allow to www
Deny all other traffic

The problem is that this allows the traffic to go over, but it blocks the connection coming back from the web server.  The only solution I have found it to open a range of TCP coming back from the web server address.
LVL 79

Expert Comment

ID: 26131535
Try this:
It matters where you place the "eq www"
The first one allows all users from any source port to the web server port 80 only
The next one allows the web server source port 80 only to any port on the net
access-list inside_out permit tcp eq www
access-list inside_out deny ip
access-list inside_out permit tcp host eq www
access-list inside_out deny ip host
access-list inside_out permit ip any any
access-group inside_out in interface inside


Author Closing Comment

ID: 31669782
This got me going in the correct direction and I was able to lock down the tunnle.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question