Site to Site VPN Security

[jfp23]

I'm being required to setup a site to site VPN to a hosting provider for access to an application. They want to setup to allow all traffic across for the specified IP ranges. Since the application is browser based and should only need 80/443 out from my location and normal browsing traffic coming back in I want to restrict what traffic goes across the tunnel. What is the best way to do that on an ASA 5512x?

thanks

 

[iggsterman]

Since IPSec site-to-site tunnels are IP-based (crypto ACLs are) you could apply an ACL on the "inside" interface of the ASA, or modify the existing one, to filter traffic to the web server.

Other, not so elegant options could be to
- restrict the traffic to TCP/80 and TCP/443 at the hosting provider based webserver with either iptables (Linux) or Windows firewall
- filter the traffic at the core, on your main site, if you have a router or a Layer 3 switch before the ASA.

 

[PScottC]

You can also apply an access-list to your tunnel traffic. The sample below is generic, but could be applied to your situation.

[tt]access-list ACL_S2S_Filter extended permit tcp any any eq http
access-list ACL_S2S_Filter extended permit tcp any any eq https
!
group-policy GP_Filtered_S2S internal
group-policy GP_Filtered_S2S attributes
vpn-filter value ACL_S2S_Filter
!
tunnel-group S2S_Group general-attributes
default-group-policy GP_Filtered_S2S[/tt]


PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers