ACLs and Site to Site VPNs 1

[BrotherJones]

just curious, but do you need a mirror image of acl (that permits ip traffic to the local network) on each pix. I have a site to site tunnel between two pixes.
On my side I have a group of developers that need to have rdp access to servers on another company's network. The other company doesn't require access to my network.

on the remote pix (giving us access to that network) -
access-list permit ip 10.9.3.0 255.255.255.0 172.17.5.0 255.255.255.0

do I need to add this to my pix on this end?
access-list permit 172.17.5.0 255.255.255.0 10.9.3.0 255.255.255.0

is the second acl necessary if all I want is access from 10.9.3 to 172.17.5?
(my thought is yes as I believe I need to allow return traffic from 172.17.5.x back to 10.9.3.x (ie rdp traffic etc.)

 

[Supergrrover]

The ACL's need to be mirrors - otherwise how would you get return traffic? Also the ACL tells the pix that whenever it receives traffic that matches that ACL, it should be encrypted. If it is not, it drops it.

You can limit your ACL to just specific IP's on your side to limit their access to you though.
They do
access-list permit ip 10.9.3.0 255.255.255.0 172.17.5.0 255.255.255.0
You do
access-list permit 172.17.5.42 255.255.255.255 10.9.3.0 255.255.255.0
So now only 172.17.5.42 can be reached by their side.

Hope this helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[BrotherJones]

Hi Brent, thanks for the quick response.
just to clarify - traffic that is coming back as part of a session (initiated on my end)still needs to be explicitly allowed by an acl?

So let's say most of my developers (located on the 10.9.3 network) are accessing servers (on the remote network) in the range of 172.17.5.1 - 172.17.1.25 via the rdp protocol.
this is via a site to site vpn

Now the remote pix has the acl from above -
access-list permit ip 10.9.3.0 255.255.255.0 172.17.5.0 255.255.255.0

Now let's say I configure my local pix with the limited access -
access-list permit 172.17.5.42 255.255.255.255 10.9.3.0 255.255.255.0

So does this mean that those return packets for the rdp sessions (showing screen updates) from the servers 172.17.5.1 through .25 will be dropped at my pix?
(because only packets from 172.17.5.42 are allowed)?
(even though those return packets are in response to a session initiated on the developer's side)

I didn't know if perhaps the asa would allow packets coming back as part of a user initiated session (from the inside interface)without having to explicitly allow it with an acl.

 

[Supergrrover]

Q1 - Yes. Don't think of the interesting traffic ACL as allowing the traffic, but rather telling the pix that taht specific traffic should be protected traffic and that it needs to unencrypt it.

Q2 - Yes again. The ACL tells the pix that traffic from remote to 172.17.5.42 should be encrypted and unencrypts it accordingly. Now if the pix gets traffic back from the remote but destined to any other IP other than the one in the ACL, it does not get unencrypted and gets dropped.

If you think about it in terms of Q1, it is easier to wrap your head around.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[BrotherJones]

once again - thanks for great info, Brent.