Options
One Direction site to site vpn
fid500
Member Posts: 71 ■■□□□□□□□□
I am trying to setup a one direction ipsec site to site VPN between A and B sites. The traffic will be originating from site A to site B. I am trying to limit traffic from Site A to only HTTP and allow only return traffic from site B. site B should not be able to initiate any connections.
I have a problem getting the tunnled up when I add a group policy on the ASA at site A. If I use the default grouppolicy it works fine. Can someone tell me what I am doing wrong. Where should I apply the ACL to control ports and hosts going through VPN?
Thanks
hostname API
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 9.1.1.3 HostB
name 9.1.1.0 SiteB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 8.1.1.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list inside_access_in extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list outside_2_cryptomap extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list MyGroupPolicy extended permit tcp host HostB 8.1.1.0 255.255.255.0 eq www
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 8.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 192.168.1.2
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 8.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy MyGroupPolicy internal
group-policy MyGroupPolicy attributes
vpn-filter value MyGroupPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 general-attributes
default-group-policy MyGroupPolicy
tunnel-group 192.168.1.2 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.2
hostname SiteB
names
name 8.1.1.0 SiteA
name 9.1.1.3 HostB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 9.1.1.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_nat0_outbound extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_access_in extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set connection-type answer-only
crypto map outside_map 1 set peer 192.168.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.1
I have a problem getting the tunnled up when I add a group policy on the ASA at site A. If I use the default grouppolicy it works fine. Can someone tell me what I am doing wrong. Where should I apply the ACL to control ports and hosts going through VPN?
Thanks
hostname API
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 9.1.1.3 HostB
name 9.1.1.0 SiteB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 8.1.1.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list inside_access_in extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list outside_2_cryptomap extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list MyGroupPolicy extended permit tcp host HostB 8.1.1.0 255.255.255.0 eq www
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 8.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 192.168.1.2
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 8.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy MyGroupPolicy internal
group-policy MyGroupPolicy attributes
vpn-filter value MyGroupPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 general-attributes
default-group-policy MyGroupPolicy
tunnel-group 192.168.1.2 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.2
hostname SiteB
names
name 8.1.1.0 SiteA
name 9.1.1.3 HostB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 9.1.1.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_nat0_outbound extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_access_in extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set connection-type answer-only
crypto map outside_map 1 set peer 192.168.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.1