cisco vpn-filter ACL

We have a vpn site to site with China
And we're wanting to limit access to the resources on our side.which is object-group net-usa
chinas subnets are in the object-group net-china


The below config half way works.
But the only hosts working back to china are actually just the host I specified in the ACL
in the ICMP filter..what am i doing wrong? Do i have them backwards?Or missing another statement.
From china's inside interface I can ping successfully to the the host 10.200.0.4
But from USA side i want to have access to there WHOLE object group..there is no ACL's on their side blocking us

#Limit access from China (net-china) to port 80 on 10.200.0.4
# And limit access from china to DNS on 10.10.0.21 and 10.10.0.22
 #via vpn-filter
 
 
#Do this on Local ASA to block stuff from china

access-list vpn-filter-china extended permit tcp host object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp host object-group net-china host 10.200.0.4
#Allow DNS servers
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.22 eq 53

#Block everything else
access-list vpn-filter-china extended deny ip any any

#Create Group policy - call it anything
group-policy new-china-filter internal
group-policy new-china-filter attributes
#Apply the ACL to the Group Policy
vpn-filter value vpn-filter-china

#Apply the group policy to the tunnel group you want it applied to
tunnel-group x.x.x.x general-attributes
default-group-policy vpn-filter-china
spiz79Asked:
Who is Participating?
 
spiz79Author Commented:
The solution to this was.
I had to disable sysopt connection permit-vpn
so my ACLS on the interfaces would take affect.
0
 
Ernie BeekExpertCommented:
permit tcp host object-group net-china
Shouldn't that be: permit tcp object-group net-china
So without host in front of the object-group.
0
 
spiz79Author Commented:
Yes it actually is sorry..
This is a config "cheat sheet" i wrote before putting the config into place

It actually is
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80

etc
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Ernie BeekExpertCommented:
Let's try this:

access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp object-group net-china host 10.200.0.4
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.22 eq 53
access-list vpn-filter-china extended deny ip object-group net-china any
access-list vpn-filter-china extended permit ip any any
0
 
spiz79Author Commented:
K I tried that and re associated the vpn tunnel
From this end I can't hit / or do anything except ping devices on chinas end..
But China can see us "wide open"
0
 
spiz79Author Commented:
%ASA-4-106103: access-list vpn-filter-china denied tcp inside/10.10.0.93(55951) -> outside/10.10.81.254(80) hit-cnt 1 first hit [0x15753256, 0x8f7c860c]
0
 
spiz79Author Commented:
We just want our object group local to have full access to the object-group china, but be able to filter what they see on our end. That seems to work fine, but when we try to ping or http to one of their servers or resourses we get denied as well..and there is no rules on their end blocking us.
0
 
spiz79Author Commented:
Found the problem on my own.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.