Cisco – Limiting VPN traffic with ACL

ciscocisco-asavpn

THIS IS NOT A DUPLICATE POST/SAME QUESTION! PLEASE READ FULLY!!

We're implementing a web-proxy service and in the tunnel config over to their service the provider requested a crypo ACL as follows:

access-list outside_30_crypto extended permit ip any any

For the test though we only want one machine's traffic to be pushed through this tunnel. I was told there is a way to limit the tunnel traffic with an additional ACL, but I'm unclear as to how to achieve this and still allow all other traffic through the outside interface as usual.

Best Answer

I would not recommend putting an ACL on a VPN interface (physical or logical source)/tunnel interface(if you are using the newer transport mode configuration) to restrict the traffic thru a VPN. You should modify your ACL for the VPN in a similar manner to what I have posted on your other question Efficient crypto ACL's?

If you wish to send the traffic from just one host thru a VPN, your ACL should have that host's IP as the source address, and whatever remote resources you would like that host to access as the destination address/network. I.e. If your host is 192.168.1.100 and he will be sending traffic to Microsoft Azure cloud network with the LAN addressing being 172.16.0.0/16, you would need the ACL to look like the following

permit IP host 192.168.1.100 172.16.0.0 0.0.255.255

Related Solutions

Vpn – Site-to-Site VPN Tunnel Up Not Passing Traffic

The resolution to my problem is to upgrade my ASA image to 8.6.1(5).

This resolves bug CSCtq57752

The workaround to the bug is to lower the crypto map's timed lifetime and increase the crypto map's traffic volume threshold:

crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime seconds 3600
crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime kilobytes 2147483647

The above crypto map lowers the lifetime to 3600 seconds and increases the kilobytes threshold to the highest value. In my case, I just have to ensure the seconds lifetime is depleted before the kilobytes threshold.

Cisco – QoS voice traffic on WAN of Cisco 1841

The short answer is no. Your queuing policy needs to be applied outbound at the point of bottleneck. In this case, the bottleneck is the WAN connection (20 Mbps) between the pfSense and the 1841. Thus, the proper location of your queuing policies are outbound on the LAN interface (a bit of a misnomer) of the pfSense and outbound on Fa0/01 of the 1841, which you have.

All that being said, your policy on the 1841 is flawed. In your example, you've reserved 1 Mbps of bandwidth for VoIP and applied the policy to a 100 Mbps interface. What happens when the PCs start pushing 70Mbps of traffic while trying to make a VoIP call? From a queuing standpoint on the 1841, the answer is nothing. There is only 70 Mbps of data flowing out Fa0/1. Therefore, there is always 1 Mbps available for VoIP. However, once this traffic reaches the pfSense, at least 50 Mbps of data and VoIP will be dropped. Your calls would be terrible at best.

Without getting into all of the details, and using your prior example, the policy should be something like this:

class-map match-any CM-VOICE-TRAFFIC
 match access-group 145
!
policy-map PM-PRIORITISE-VOICE-child
 class CM-VOICE-TRAFFIC
   set ip dscp ef
   priority 1000
 class class-default
   fair-queue
!
policy-map Shape-20Mb-parent
 class class-default
  shape average 20000000
  service-policy PM-PRIORITISE-VOICE-child
!
interface FastEthernet0/1
 service-policy output Shape-20Mb-parent
!
access-list 145 permit ip 10.0.59.0 0.0.0.255 any

This policy creates an artificial bandwidth limit on all traffic leaving the Fa0/1 on the 1841. Thus, the pfSense will never have the opportunity to drop traffic indiscriminately. Also, instead of the bandwidth command, the priority command should be used to limit latency and jitter. The tagging and the ACL change should be self-explanatory.

Best Answer

Related Solutions

Vpn – Site-to-Site VPN Tunnel Up Not Passing Traffic

Cisco – QoS voice traffic on WAN of Cisco 1841

Related Topic