Cisco ASA Site-to-Site VPN filtering Web Traffice
We have a Site-to-Site VPN set up with one of our clients. We both need access to an internal website each others network. I am trying to set up a filter to only allow port 80 both ways. When I apply a filter only allowing port 80, I also have to open up a range of TCP port. Why and how to get around opening up range of TCP ports.
GuruChiu
Not quite understand why "When I apply a filter only allowing port 80, I also have to open up a range of TCP port". Do you mean you need to open that range before things starts working? What range you refer to?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
IRmoore,
I did try that and all traffic coming back block. I do see the request going to the web server but it's blocked coming back a TCP port.
HQ
Web Serve 192.168.2.2
Users 192.168.30.X
Remote site
Web Server 10.10.10.55
Users 10.10.15.X
Current tunnel
Allow only 192.168.2.2/32 And 192.168.30.0/24 to 10.10.0.0\16
ACL's I'm trying to build.
Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www
Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www
Deny all other traffic
The problem is that this allows the traffic to go over, but it blocks the connection coming back from the web server. The only solution I have found it to open a range of TCP coming back from the web server address.
I did try that and all traffic coming back block. I do see the request going to the web server but it's blocked coming back a TCP port.
HQ
Web Serve 192.168.2.2
Users 192.168.30.X
Remote site
Web Server 10.10.10.55
Users 10.10.15.X
Current tunnel
Allow only 192.168.2.2/32 And 192.168.30.0/24 to 10.10.0.0\16
ACL's I'm trying to build.
Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www
Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www
Deny all other traffic
The problem is that this allows the traffic to go over, but it blocks the connection coming back from the web server. The only solution I have found it to open a range of TCP coming back from the web server address.
Try this:
It matters where you place the "eq www"
The first one allows all users from any source port to the web server port 80 only
The next one allows the web server source port 80 only to any port on the 10.10.10.0 net
access-list inside_out permit tcp 192.168.30.0 255.255.255.0 10.10.10.55 eq www
access-list inside_out deny ip 192.168.30.0 255.255.255.0 10.10.10.55
access-list inside_out permit tcp host 192.168.2.2 eq www 10.10.10.0 255.255.255.0
access-list inside_out deny ip host 192.168.2.2 10.10.10.0 255.255.255.0
access-list inside_out permit ip any any
access-group inside_out in interface inside
It matters where you place the "eq www"
The first one allows all users from any source port to the web server port 80 only
The next one allows the web server source port 80 only to any port on the 10.10.10.0 net
access-list inside_out permit tcp 192.168.30.0 255.255.255.0 10.10.10.55 eq www
access-list inside_out deny ip 192.168.30.0 255.255.255.0 10.10.10.55
access-list inside_out permit tcp host 192.168.2.2 eq www 10.10.10.0 255.255.255.0
access-list inside_out deny ip host 192.168.2.2 10.10.10.0 255.255.255.0
access-list inside_out permit ip any any
access-group inside_out in interface inside
ASKER
This got me going in the correct direction and I was able to lock down the tunnle.