- Posts: 783
- Thank you received: 0
VPN ACL
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
17 years 5 months ago #21897
by skepticals
VPN ACL was created by skepticals
I am trying to add a new entry to an already existing ACL on an ASA 5510 and I am looking for some clarification:
Current entry I see:
I was told that the ASA is configured in such a way that VPN clients are assigned to the 10.3.254.0 network.
I need to allow remote desktop to host 1.2.3.4 from a vpn connection. How would I do so? Something like: access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 host 1.2.3.4 eq 3389?
Do I need a source and a destination port?
I am unsure about the order because of the address similarity. Any ideas? Thanks!
Current entry I see:
access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 10.3.254.0 255.255.255.192
I was told that the ASA is configured in such a way that VPN clients are assigned to the 10.3.254.0 network.
I need to allow remote desktop to host 1.2.3.4 from a vpn connection. How would I do so? Something like: access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 host 1.2.3.4 eq 3389?
Do I need a source and a destination port?
I am unsure about the order because of the address similarity. Any ideas? Thanks!
17 years 5 months ago #21900
by lomaree
you want VPN client to connect to this computer inside using remote desktop, rite?
if that's the case then it should be
access-list outside_inside extended permit tcp 10.3.254.0. 255.255.255.0 host 1.2.3.4 eq 3389
if you want to go for port then should define "tcp" instead of "ip" in your acl.
HTH
Replied by lomaree on topic Re: VPN ACL
I need to allow remote desktop to host 1.2.3.4 from a vpn connection. How would I do so? Something like: access-list inside_nat0_outbound extended permit ip 10.3.254.0 255.255.255.0 host 1.2.3.4 eq 3389?
you want VPN client to connect to this computer inside using remote desktop, rite?
if that's the case then it should be
access-list outside_inside extended permit tcp 10.3.254.0. 255.255.255.0 host 1.2.3.4 eq 3389
if you want to go for port then should define "tcp" instead of "ip" in your acl.
HTH
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 783
- Thank you received: 0
17 years 5 months ago #21919
by skepticals
Replied by skepticals on topic Re: VPN ACL
Thank you. I will give this a shot and see what happens.
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 783
- Thank you received: 0
17 years 5 months ago #21924
by skepticals
Replied by skepticals on topic Re: VPN ACL
This is what I entered:[code:1]access-list inside_nat0_outbound extended permit tcp 10.3.254.0 255.255.255.0 host 1.2.3.4 eq 3389[/code:1]
It does not work. Did I do something wrong?
It does not work. Did I do something wrong?
17 years 5 months ago #21925
by d_jabsd
Replied by d_jabsd on topic Re: VPN ACL
The using tcp or udp for nat_0 rules doesn't work with VPNs. It only works with ip acls.
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 783
- Thank you received: 0
17 years 5 months ago #21926
by skepticals
Replied by skepticals on topic Re: VPN ACL
Good call.The using tcp or udp for nat_0 rules doesn't work with VPNs. It only works with ip acls.
Time to create page: 0.131 seconds