Cisco ASA 5505 (8.05): asymmetrical group-policy filter on an L2L IPSec tunnel

Posted by gravyface on Server Fault See other posts from Server Fault or by gravyface
Published on 2011-01-16T21:54:06Z Indexed on 2011/01/16 22:54 UTC
Read the original article Hit count: 298

I'm trying to find a way to setup a bi-directional L2L IPSec tunnel, but with differing group-policy filter ACLs for both sides.

I have the following filter ACL setup, applied, and working on my tunnel-group:

access-list ACME_FILTER extended permit tcp host 10.0.0.254 host 192.168.0.20 eq 22
access-list ACME_FILTER extended permit icmp host 10.0.0.254 host 192.168.0.20 

According to the docs, VPN filters are bi-directional, you always specify the remote host first (10.0.0.254), followed by the local host and (optionally) port number, as per the documentation.

However, I do not want the remote host to be able to access my local host's TCP port 22 (SSH) because there's no requirement to do so -- there's only a requirement for my host to access the remote host's SFTP server, not vice-versa. But since these filter ACLs are bidirectional, line 1 is also permitting the remote host to access my host's SSH Server.

The documentation I'm reading doesn't seem to clear to me if this is possible; help/clarification much appreciated.

© Server Fault or respective owner

Related posts about vpn

Related posts about cisco