Suppose you have a Cisco ASA with a L2L VPN to an
VPN-filters are an excellent tool, and can be used in this exactly same way for Cisco AnyConnect client VPNs. If you want to learn more about how to use these filtering in a dynamic system, where login is handled by external auth, like AD, but hosts are filtered, read this. Here, though, we'll focus on L2L VPNs.
First of all, create your objects, object-groups, and access list that you'll apply to the VPN. These type of "vpn-filter" ACLs are applied inbound, so the source of traffic is remote.
! Create partner objects
object network RemotePartner_Subnet1
subnet 10.200.0.0 255.255.0.0
object-group network RemotePartner_VPNGroup
network-object object RemotePartner_Subnet1
! Create objects for our networkobject network MyNetwork_Subnet1
subnet 10.100.0.0 255.255.0.0
object-group network MyNetwork_VPNGroup
network-object object MyNetwork_Subnet1
! Create services/port filtering object
object-group service web tcp
port-object eq www
port-object eq https
! Create inbound ACL to use as a vpn-filter, include icmp for testing purposesaccess-list Remote_2_MyNetwork_vpnFilter extended permit tcp object RemotePartner_VPNGroup object-group MyNetwork_VPNGroup object-group web
access-list Remote_2_MyNetwork_vpnFilter extended permit icmp any any
! Create a group policy to reference the vpn filter
group-policy MyNetwork_2_RemotePartner attributes
vpn-filter value Remote_2_MyNetwork_vpnFilter
! Update the tunnel group for the remote peer to map to the group policy
tunnel-group 188.8.131.52 general-attributes
Done! Now your L2L VPN is filtered inbound on your side, and doesn't require any action by the remote partner in the event you need to add a few hosts or further restrict the access.
Good luck out there.
Post a Comment