cisco vpn-filter ACL

We have a vpn site to site with China
And we're wanting to limit access to the resources on our side.which is object-group net-usa
chinas subnets are in the object-group net-china


The below config half way works.
But the only hosts working back to china are actually just the host I specified in the ACL
in the ICMP filter..what am i doing wrong? Do i have them backwards?Or missing another statement.
From china's inside interface I can ping successfully to the the host 10.200.0.4
But from USA side i want to have access to there WHOLE object group..there is no ACL's on their side blocking us

#Limit access from China (net-china) to port 80 on 10.200.0.4
# And limit access from china to DNS on 10.10.0.21 and 10.10.0.22
 #via vpn-filter
 
 
#Do this on Local ASA to block stuff from china

access-list vpn-filter-china extended permit tcp host object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp host object-group net-china host 10.200.0.4
#Allow DNS servers
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.22 eq 53

#Block everything else
access-list vpn-filter-china extended deny ip any any

#Create Group policy - call it anything
group-policy new-china-filter internal
group-policy new-china-filter attributes
#Apply the ACL to the Group Policy
vpn-filter value vpn-filter-china

#Apply the group policy to the tunnel group you want it applied to
tunnel-group x.x.x.x general-attributes
default-group-policy vpn-filter-china
spiz79Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
permit tcp host object-group net-china
Shouldn't that be: permit tcp object-group net-china
So without host in front of the object-group.
spiz79Author Commented:
Yes it actually is sorry..
This is a config "cheat sheet" i wrote before putting the config into place

It actually is
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80

etc
Ernie BeekExpertCommented:
Let's try this:

access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp object-group net-china host 10.200.0.4
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.22 eq 53
access-list vpn-filter-china extended deny ip object-group net-china any
access-list vpn-filter-china extended permit ip any any
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

spiz79Author Commented:
K I tried that and re associated the vpn tunnel
From this end I can't hit / or do anything except ping devices on chinas end..
But China can see us "wide open"
spiz79Author Commented:
%ASA-4-106103: access-list vpn-filter-china denied tcp inside/10.10.0.93(55951) -> outside/10.10.81.254(80) hit-cnt 1 first hit [0x15753256, 0x8f7c860c]
spiz79Author Commented:
We just want our object group local to have full access to the object-group china, but be able to filter what they see on our end. That seems to work fine, but when we try to ping or http to one of their servers or resourses we get denied as well..and there is no rules on their end blocking us.
spiz79Author Commented:
The solution to this was.
I had to disable sysopt connection permit-vpn
so my ACLS on the interfaces would take affect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
spiz79Author Commented:
Found the problem on my own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.