Solved

ACL to filter ipsec traffic

Posted on 2014-04-26
3
1,316 Views
Last Modified: 2014-06-27
We have a branch office connected to our main site with an IPSEC tunnel.

Inside said office is a printer that someone at the main site won't stop printing too by accident.

How can we setup an ACL to block all traffic to the specific IP of the printer and so we can SYSLOG who is doing it?
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40024723
you can block IP you want when you define the intersting traffic that pass between the two routers e.g:

if that your normal ACL to go from Site B (10.10.10.0/24) to your HQ site (20.20.20.0/24)

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

so let's say that your Printer IP in  HQ Site is 20.20.20.5 and you want to deny it from ip 10.10.10.5 you simply modify it to be:

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# deny ip host 10.10.10.5 host 20.20.20.5 log
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 40025022
^^ These appear to be IOS Router commands?

On you ASA Locate the ACL that's mentioned in the cryptomap like so

Petes-ASA(config)# show run crypto map
crypto map outside_map 19 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 19 set pfs
crypto map outside_map 19 set peer 123.123.123.123
crypto map outside_map 19 set transform-set ESP-3DES-SHA

Then look to see what that's doing

Petes-ASA(config)# show run access-list VPN-INTERESTING-TRAFFIC
MainSite(config)# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite

Pop your IP AT THE TOP i.e. if your printer is 192.168.1.100

Petes-ASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 deny ip host 192.168.1.100 192.168.2.0 255.255.255.0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 40025847
If I may add to the comment of my esteemed fellow expert Pete:

If, in your ASA, there is the following in place: no sysopt connection permit-vpn you need to use ACL's to allow traffic through the VPN.
In that case I think it would be neater to use those ACL's to block the traffic. As a matter of fact you can use an ACL on the inside interface of the ASA to block this anyway.
I even think it then has less impact because it's dropped earlier and not processed any further (Pete?)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing VLAN information 3 46
Password recovery 2960S 4 51
Recovering ASA 5505 vpn config from flash card? 7 50
Objects in Cisco ASA 2 45
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question