Solved

vpn traffic filtering on site to site VPNs

Posted on 2012-03-17
4
573 Views
Last Modified: 2012-08-13
Hi I have a site to site VPN on an ASA device running OS 8.4
my side of the network is on 192.168.1.0 / 24
the other side of the VPN is 10.0.0.0 / 24
I need to set up a rule so that while I can access all hosts on 10.0.0.0 / 24
none of the hosts on 192.168.1.0 / 24 should be able to access our side of the tunnel.

Is this possible?
0
Comment
Question by:eggster34
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732400
I think that should be possible. If you have something like sysopt permit-vpn in your config, remove that. After that you need to allow vpn traffic through an ACE on the outside interface just like any other traffic from the outside.
So if you don't add a rule I think it would work like any other traffic through the ASA. From the inside to the outside and return traffic should work.
0
 

Author Comment

by:eggster34
ID: 37735511
that does not work at all.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37735663
Ok,

Could you tell what you did? And could you have a look at the logging to see if anything shows there?
0
 
LVL 6

Accepted Solution

by:
alienXeno earned 500 total points
ID: 37736588
check vpn filters for ASA at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

 The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.
Exercise caution when you construct the ACLs for use with the vpn-filter feature. The ACLs are constructed with the post-decrypted traffic (inbound VPN traffic) in mind. However, they are also applied to the traffic originated in the opposite direction.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now