Probably a simple answer but struggling to find a clear example to enable specific ports after establishing the S2S VPN using the wizard in ASDM such as https://youtu.be/lGbsQJOxjsI
Is it as easy as adding the ports to the destination service for the S2S ACLs?
You create a basic inside to outside (or both) ACL for that traffic. An example is that you filter by subnet based on the VPN setup (near-side and far-side.) After that you apply an ACL to define specifics as needed from each side to the other. Be wary if you have NAT in play that needs to be addressed within the ACL as well.
Good example: A partner connects to you with a S2S VPN, which by the way an older term is B2B or business-to-business VPN. You define your server subnet as your near side and their server subnet as the far side for the VPN configuration.
Then you apply an Outside to Inside ACL that defines only specific servers on their side are allowed to whatever server on your side they needed to reach.
Things to be aware of:
In his video he is covering a simple IPSEC VPN tunnel between two sites. Understand that a routed VPN works differently if you ever set one up, and changes where the ACL works from. No need to worry about this unless you go down that path but it’s very common when connecting to cloud environments or partners.
Apply filtering AFTER testing. Then test again. There is nothing worse than a VPN set up with very tight security association subnet or host definitions AND a tightly controlled VPN and the ticket is basically, “it’s not working.” You have to disassemble things in parts just to get to what isn’t working. Instead, build things a step at a time. Get the VPN working, ensure encrypt and decrypt each way, THEN apply an ACL for filtering the access.
Let me know if the above process works for you.
I have to do this often for a client ,but I do it from the cli.
I create a seperate acl allowing certain ports, and I tie the ACL to a group-policy(Vpn-filter) and the tunnel-group points to the the group-policy.
Thanks for you help! I currently have the remote site connected and working using the S2S IPsec VPN tunnel. The current ACL rule only has IP as a destination service. I will try add the required ports to the destination service at both ends and test.
Perfectly valid method applying it as a VPN filter on a group policy. Sadly, I’ve run in to way too many people with ONE group policy and it’s applied to every point-to-point vpn AND client AnyConnect.
Many simply do not create group policies per VPN, sadly. I wish I had more clients like yours. Or at least, control of things from the get go.
No worries, try to define your ACL from just one side if possible. Again, troubleshooting both ways can be a real pain. If you have a simple ACL defining what’s allowed on your side to the remote side, you’ll have less problems troubleshooting.