Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPN Security

Status
Not open for further replies.

jfp23

Technical User
Mar 2, 2004
287
US
I'm being required to setup a site to site VPN to a hosting provider for access to an application. They want to setup to allow all traffic across for the specified IP ranges. Since the application is browser based and should only need 80/443 out from my location and normal browsing traffic coming back in I want to restrict what traffic goes across the tunnel. What is the best way to do that on an ASA 5512x?

thanks
 
Since IPSec site-to-site tunnels are IP-based (crypto ACLs are) you could apply an ACL on the "inside" interface of the ASA, or modify the existing one, to filter traffic to the web server.

Other, not so elegant options could be to
- restrict the traffic to TCP/80 and TCP/443 at the hosting provider based webserver with either iptables (Linux) or Windows firewall
- filter the traffic at the core, on your main site, if you have a router or a Layer 3 switch before the ASA.
 
You can also apply an access-list to your tunnel traffic. The sample below is generic, but could be applied to your situation.

[tt]access-list ACL_S2S_Filter extended permit tcp any any eq http
access-list ACL_S2S_Filter extended permit tcp any any eq https
!
group-policy GP_Filtered_S2S internal
group-policy GP_Filtered_S2S attributes
vpn-filter value ACL_S2S_Filter
!
tunnel-group S2S_Group general-attributes
default-group-policy GP_Filtered_S2S[/tt]


PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top