?
Solved

vpn traffic filtering on site to site VPNs

Posted on 2012-03-17
4
Medium Priority
?
583 Views
Last Modified: 2012-08-13
Hi I have a site to site VPN on an ASA device running OS 8.4
my side of the network is on 192.168.1.0 / 24
the other side of the VPN is 10.0.0.0 / 24
I need to set up a rule so that while I can access all hosts on 10.0.0.0 / 24
none of the hosts on 192.168.1.0 / 24 should be able to access our side of the tunnel.

Is this possible?
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732400
I think that should be possible. If you have something like sysopt permit-vpn in your config, remove that. After that you need to allow vpn traffic through an ACE on the outside interface just like any other traffic from the outside.
So if you don't add a rule I think it would work like any other traffic through the ASA. From the inside to the outside and return traffic should work.
0
 

Author Comment

by:eggster34
ID: 37735511
that does not work at all.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37735663
Ok,

Could you tell what you did? And could you have a look at the logging to see if anything shows there?
0
 
LVL 6

Accepted Solution

by:
alienXeno earned 2000 total points
ID: 37736588
check vpn filters for ASA at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

 The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.
Exercise caution when you construct the ACLs for use with the vpn-filter feature. The ACLs are constructed with the post-decrypted traffic (inbound VPN traffic) in mind. However, they are also applied to the traffic originated in the opposite direction.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question