Friday, October 6, 2017

Cisco ASA - L2L VPN Filters

Hey all,

Suppose you have a Cisco ASA with a L2L VPN to an untrusted partner, and you have a requirement that large swaths of the network are included in the crypto map to this partner. However, you want to only permit particular ports, to particular hosts. Thankfully, Cisco ASAs support what's called a vpn-filter that can do exactly that.

VPN-filters are an excellent tool, and can be used in this exactly same way for Cisco AnyConnect client VPNs. If you want to learn more about how to use these filtering in a dynamic system, where login is handled by external auth, like AD, but hosts are filtered, read this. Here, though, we'll focus on L2L VPNs.

First of all, create your objects, object-groups, and access list that you'll apply to the VPN. These type of "vpn-filter" ACLs are applied inbound, so the source of traffic is remote.

! Create partner objects
object network RemotePartner_Subnet1
 subnet 10.200.0.0 255.255.0.0
object-group network RemotePartner_VPNGroup
 network-object object RemotePartner_Subnet1

! Create objects for our network
object network MyNetwork_Subnet1
 subnet 10.100.0.0 255.255.0.0
object-group network MyNetwork_VPNGroup
 network-object object MyNetwork_Subnet1

! Create services/port filtering object
object-group service web tcp
 port-object eq www
 port-object eq https

! Create inbound ACL to use as a vpn-filter, include icmp for testing purposes
access-list Remote_2_MyNetwork_vpnFilter extended permit tcp object RemotePartner_VPNGroup object-group MyNetwork_VPNGroup object-group web
access-list Remote_2_MyNetwork_vpnFilter extended permit icmp any any

! Create a group policy to reference the vpn filter
group-policy MyNetwork_2_RemotePartner attributes
 vpn-filter value Remote_2_MyNetwork_vpnFilter
 vpn-tunnel-protocol ikev1

! Update the tunnel group for the remote peer to map to the group policy
tunnel-group 50.50.50.50 general-attributes
 default-group-policy MyNetwork_2_RemotePartner

Done! Now your L2L VPN is filtered inbound on your side, and doesn't require any action by the remote partner in the event you need to add a few hosts or further restrict the access.

Good luck out there.
kyler