Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Site to Site VPN Security

Site to Site VPN Security

Site to Site VPN Security

I'm being required to setup a site to site VPN to a hosting provider for access to an application. They want to setup to allow all traffic across for the specified IP ranges. Since the application is browser based and should only need 80/443 out from my location and normal browsing traffic coming back in I want to restrict what traffic goes across the tunnel. What is the best way to do that on an ASA 5512x?


RE: Site to Site VPN Security

Since IPSec site-to-site tunnels are IP-based (crypto ACLs are) you could apply an ACL on the "inside" interface of the ASA, or modify the existing one, to filter traffic to the web server.

Other, not so elegant options could be to
- restrict the traffic to TCP/80 and TCP/443 at the hosting provider based webserver with either iptables (Linux) or Windows firewall
- filter the traffic at the core, on your main site, if you have a router or a Layer 3 switch before the ASA.

RE: Site to Site VPN Security

You can also apply an access-list to your tunnel traffic. The sample below is generic, but could be applied to your situation.

access-list ACL_S2S_Filter extended permit tcp any any eq http
access-list ACL_S2S_Filter extended permit tcp any any eq https
group-policy GP_Filtered_S2S internal
group-policy GP_Filtered_S2S attributes
vpn-filter value ACL_S2S_Filter
tunnel-group S2S_Group general-attributes
default-group-policy GP_Filtered_S2S

— CCNPx3 (Security/R&S/Wireless) • MCITP: Enterprise Admin • MCSE —

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers"

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close