How do I filter VPN traffic?

Hi

We have an ASA5510 where I need to limit access through a VPN tunnel to accept only FTP traffic.

How do I do that?

If I choose to do it in the VPN access-lists, I got a warning.

A person told me to accept all traffic through the VPN tunnel, and then make a separate access-list where I accept only FTP traffic.

But how do I do that?

Shall I assign that access-list to outside interface or to inside interface?

Please show me an example.

Thanks

Brian P.

Reply to
Brian P.
Loading thread data ...

I can tell how a PIX525 with 6.3(4) works.It should work for the ASA too, as that behavior is the same between PIX 7.0.x and 6.3(4), and ASA and PIX for the most aspects share most of the rules set.

Check whether the "sysopt connection permit-ipsec" is disabled. Type "no sysopt connection permit-ipsec". If that option is enabled the traffic coming from the IPsec tunnels is not matched against the ACL on the interface where the tunnels terminate and so all the traffic encrypted passes through the interface unchecked. Then if the VPNs terminate on outside interface, treats the traffic coming from the VPNs as it came unprotected from the outside interface. Obviously you must merge the new rules with those already present in the access list applied to the outside interface

HTH.

Alex.

Reply to
AM

Hi

We have an ASA5510 where I need to limit access through a VPN tunnel to accept only FTP traffic.

How do I do that?

If I choose to do it in the VPN access-lists, I got a warning.

A person told me to accept all traffic through the VPN tunnel, and then make a separate access-list where I accept only FTP traffic.

But how do I do that?

Shall I assign that access-list to outside interface or to inside interface?

Please show me an example.

Thanks

Brian P.

group-policy VPN-Policy attributes vpn-filter value vpn_access_list

Then create an acl named "vpn_access_list" in the case of this example. This doesn't work for webvpn connection as far as I know, but for standard IPSec tunnels it should work.

Reply to
Kevin Widner

Of course. VPN "access-lists" are protocol identifiers, but not filters.

Correct.

access-group ...

Assigne the list to the approbriate interface.

Reply to
Lutz Donnerhacke

Thanks for all your help .... now I can filter properly :-)

B.R.

Brian P.

Reply to
Brian P.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.