Cisco ASA 5505 (8.05): asymmetrical group-policy filter on an L2L IPSec tunnel
Posted
by
gravyface
on Server Fault
See other posts from Server Fault
or by gravyface
Published on 2011-01-16T21:54:06Z
Indexed on
2011/01/16
22:54 UTC
Read the original article
Hit count: 298
I'm trying to find a way to setup a bi-directional L2L IPSec tunnel, but with differing group-policy filter ACLs for both sides.
I have the following filter ACL setup, applied, and working on my tunnel-group:
access-list ACME_FILTER extended permit tcp host 10.0.0.254 host 192.168.0.20 eq 22
access-list ACME_FILTER extended permit icmp host 10.0.0.254 host 192.168.0.20
According to the docs, VPN filters are bi-directional, you always specify the remote host first (10.0.0.254), followed by the local host and (optionally) port number, as per the documentation.
However, I do not want the remote host to be able to access my local host's TCP port 22 (SSH) because there's no requirement to do so -- there's only a requirement for my host to access the remote host's SFTP server, not vice-versa. But since these filter ACLs are bidirectional, line 1 is also permitting the remote host to access my host's SSH Server.
The documentation I'm reading doesn't seem to clear to me if this is possible; help/clarification much appreciated.
© Server Fault or respective owner