spiz79
asked on
cisco vpn-filter ACL
We have a vpn site to site with China
And we're wanting to limit access to the resources on our side.which is object-group net-usa
chinas subnets are in the object-group net-china
The below config half way works.
But the only hosts working back to china are actually just the host I specified in the ACL
in the ICMP filter..what am i doing wrong? Do i have them backwards?Or missing another statement.
From china's inside interface I can ping successfully to the the host 10.200.0.4
But from USA side i want to have access to there WHOLE object group..there is no ACL's on their side blocking us
#Limit access from China (net-china) to port 80 on 10.200.0.4
# And limit access from china to DNS on 10.10.0.21 and 10.10.0.22
#via vpn-filter
#Do this on Local ASA to block stuff from china
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp host object-group net-china host 10.200.0.4
#Allow DNS servers
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.22 eq 53
#Block everything else
access-list vpn-filter-china extended deny ip any any
#Create Group policy - call it anything
group-policy new-china-filter internal
group-policy new-china-filter attributes
#Apply the ACL to the Group Policy
vpn-filter value vpn-filter-china
#Apply the group policy to the tunnel group you want it applied to
tunnel-group x.x.x.x general-attributes
default-group-policy vpn-filter-china
And we're wanting to limit access to the resources on our side.which is object-group net-usa
chinas subnets are in the object-group net-china
The below config half way works.
But the only hosts working back to china are actually just the host I specified in the ACL
in the ICMP filter..what am i doing wrong? Do i have them backwards?Or missing another statement.
From china's inside interface I can ping successfully to the the host 10.200.0.4
But from USA side i want to have access to there WHOLE object group..there is no ACL's on their side blocking us
#Limit access from China (net-china) to port 80 on 10.200.0.4
# And limit access from china to DNS on 10.10.0.21 and 10.10.0.22
#via vpn-filter
#Do this on Local ASA to block stuff from china
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp host object-group net-china host 10.200.0.4
#Allow DNS servers
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.22 eq 53
#Block everything else
access-list vpn-filter-china extended deny ip any any
#Create Group policy - call it anything
group-policy new-china-filter internal
group-policy new-china-filter attributes
#Apply the ACL to the Group Policy
vpn-filter value vpn-filter-china
#Apply the group policy to the tunnel group you want it applied to
tunnel-group x.x.x.x general-attributes
default-group-policy vpn-filter-china
ASKER
Yes it actually is sorry..
This is a config "cheat sheet" i wrote before putting the config into place
It actually is
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
etc
This is a config "cheat sheet" i wrote before putting the config into place
It actually is
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
etc
Let's try this:
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp object-group net-china host 10.200.0.4
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.22 eq 53
access-list vpn-filter-china extended deny ip object-group net-china any
access-list vpn-filter-china extended permit ip any any
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp object-group net-china host 10.200.0.4
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.22 eq 53
access-list vpn-filter-china extended deny ip object-group net-china any
access-list vpn-filter-china extended permit ip any any
ASKER
K I tried that and re associated the vpn tunnel
From this end I can't hit / or do anything except ping devices on chinas end..
But China can see us "wide open"
From this end I can't hit / or do anything except ping devices on chinas end..
But China can see us "wide open"
ASKER
%ASA-4-106103: access-list vpn-filter-china denied tcp inside/10.10.0.93(55951) -> outside/10.10.81.254(80) hit-cnt 1 first hit [0x15753256, 0x8f7c860c]
ASKER
We just want our object group local to have full access to the object-group china, but be able to filter what they see on our end. That seems to work fine, but when we try to ping or http to one of their servers or resourses we get denied as well..and there is no rules on their end blocking us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the problem on my own.
Shouldn't that be: permit tcp object-group net-china
So without host in front of the object-group.