?
Solved

cisco vpn-filter ACL

Posted on 2011-10-06
9
Medium Priority
?
1,042 Views
Last Modified: 2012-05-12
We have a vpn site to site with China
And we're wanting to limit access to the resources on our side.which is object-group net-usa
chinas subnets are in the object-group net-china


The below config half way works.
But the only hosts working back to china are actually just the host I specified in the ACL
in the ICMP filter..what am i doing wrong? Do i have them backwards?Or missing another statement.
From china's inside interface I can ping successfully to the the host 10.200.0.4
But from USA side i want to have access to there WHOLE object group..there is no ACL's on their side blocking us

#Limit access from China (net-china) to port 80 on 10.200.0.4
# And limit access from china to DNS on 10.10.0.21 and 10.10.0.22
 #via vpn-filter
 
 
#Do this on Local ASA to block stuff from china

access-list vpn-filter-china extended permit tcp host object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp host object-group net-china host 10.200.0.4
#Allow DNS servers
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp host object-group net-china host 10.10.0.22 eq 53

#Block everything else
access-list vpn-filter-china extended deny ip any any

#Create Group policy - call it anything
group-policy new-china-filter internal
group-policy new-china-filter attributes
#Apply the ACL to the Group Policy
vpn-filter value vpn-filter-china

#Apply the group policy to the tunnel group you want it applied to
tunnel-group x.x.x.x general-attributes
default-group-policy vpn-filter-china
0
Comment
Question by:spiz79
  • 6
  • 2
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36923799
permit tcp host object-group net-china
Shouldn't that be: permit tcp object-group net-china
So without host in front of the object-group.
0
 

Author Comment

by:spiz79
ID: 36923834
Yes it actually is sorry..
This is a config "cheat sheet" i wrote before putting the config into place

It actually is
access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80

etc
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36923878
Let's try this:

access-list vpn-filter-china extended permit tcp object-group net-china host 10.200.0.4 eq 80
access-list vpn-filter-china extended permit icmp object-group net-china host 10.200.0.4
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.21 eq 53
access-list vpn-filter-china extended permit tcp object-group net-china host 10.10.0.22 eq 53
access-list vpn-filter-china extended deny ip object-group net-china any
access-list vpn-filter-china extended permit ip any any
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:spiz79
ID: 36925045
K I tried that and re associated the vpn tunnel
From this end I can't hit / or do anything except ping devices on chinas end..
But China can see us "wide open"
0
 

Author Comment

by:spiz79
ID: 36925062
%ASA-4-106103: access-list vpn-filter-china denied tcp inside/10.10.0.93(55951) -> outside/10.10.81.254(80) hit-cnt 1 first hit [0x15753256, 0x8f7c860c]
0
 

Author Comment

by:spiz79
ID: 36926430
We just want our object group local to have full access to the object-group china, but be able to filter what they see on our end. That seems to work fine, but when we try to ping or http to one of their servers or resourses we get denied as well..and there is no rules on their end blocking us.
0
 

Accepted Solution

by:
spiz79 earned 0 total points
ID: 37256237
The solution to this was.
I had to disable sysopt connection permit-vpn
so my ACLS on the interfaces would take affect.
0
 

Author Closing Comment

by:spiz79
ID: 37277683
Found the problem on my own.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question