+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 26

Thread: VPN Filtering

  1. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #1

    Default VPN Filtering

    Hello, i have setup a L2L VPN between asa and a linux firewall everything and everything works fine when i choose the simple setup e.g permit asa_internal_lan 0.0.0.255 linux_internal_lan 0.0.0.255.

    With the default setup everyone has access to everyone. But i want to implement some filter rules in order to define interesting traffic.

    e.g i want to allo specific hosts and specific ports from the linux internal lan to the asa internal lan, and from the asa side specific ip's can see all linux internal lan.

    For that i have created a vpn group policy and i have applied it to the tunnel.

    Here is the thing, when i create rules that permit specific hosts and specific port from the linux int lan to asa int lan, filtering works fine. ICMP works fine both ways. BUT i am unable to access anything to linux internal lan from the asa internal lan.

    I get an error that i have seen before with the ident protocol 2

    Jan 26 2008 17:18:58 106001 192.168.0.15 172.16.10.13 Inbound TCP connection denied from 192.168.0.15/2824 to 172.16.10.13/3389 flags SYN on interface internal

    And this is where the game ends. I think i may forget something any help will be appreciated.

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #2
    Since sysopt command is global i have some issues.

    If i enable it vpn traffic bypass every ACL/ACE.
    If i disable it i have to create ACL/ACE's for every vpn connection type, roadwarrior/l2l to accomplish what i want.
    But i cannot use this solution as it would drive me crazy to maintain so many access lists.

    Using the tunnel-group peer_ip general-attributes, default-group-policy policy_name
    has some effects but not what i want.

    Is there a way to define specific access rules in a L2L VPN ?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #3
    Searching on the Cisco NetPro forums i found others having the same problem i have.

    One and the most ucceptable solution a guy gives is to put specific access rules in the other peer(not asa). Well that's ok but this doesn'w give centralized management.

    Any help, thoughts on this, would be helpfull.
    Reply With Quote Quote  

  5. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #4
    While the caffeine works into my system can you give specifics on what you are trying to allow and filter (eg. all whole subnets or allow subnets and then filter specifi ports etc.?). Also are you mainly dealing with a hub in a hub/spoke configuration or simply protecting one side in particular from another?
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #5
    Ahriakin,

    I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

    The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

    Of course i would like to allow specific hosts and specific services to access my lan from the vpn client.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #6
    Anyone ?
    Reply With Quote Quote  

  8. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #7
    Quote Originally Posted by pr3d4t0r
    Anyone ?
    It would depend on what protocols are involved and what not. I think the solution would be more in a firewall or router and stateful filtering on the inside of the concentrator connected to the main site. I don't know of a capability in the concentrator to do this.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #8
    The L2L VPN is between an ASA and a Linux Box IPSec. And works fine as is. The problems occurs when filtering come in. RDP, SAP, Radmin are some of the protocols that i use now. Of course there is a Domain Controller etc etc.

    I think placing some rules in the linux box may indeed solve the problem but i cannot accept that i cannot do this in the ASA side...
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #9
    any thoughts ?
    Reply With Quote Quote  

  11. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #10
    Sysopt lets incoming traffic on the VPN interface bypass it's incoming-access-list only. Since you're using an ASA you can apply normal security ACE's to your Inside interface's outgoing access-list to achieve the effect you want I believe - though I haven't tried this, we have ASA's/PIX's at each Site so I just put the security filters on their Inside interface-IN ACL's (blocking known malware ports, bogon nets etc.), this also saves a bit on bandwidth since the traffic is dropped before going over our tunnel.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #11
    Well it seems that sysopt permits in and out traffic. I 've tested it and i cannot filter anything, everything passes...
    Reply With Quote Quote  

  13. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #12
    It shouldn't affect your inside interface, rules you apply there should take affect. I have 4 object groups of Ports and subnets that should never pass between any clients on the firewall also another 2 listing legal inside and outside private subnets and I block all non-legal subnets access to the outside using an ACL on the inside interface with Sysopt permitting VPN traffic no the outside, works as it should (if a correctly encrypted outside subnet is not permitted as a destination on my Inside interface ACL it fails).
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #13
    Quote Originally Posted by pr3d4t0r
    Ahriakin,

    I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

    The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

    Of course i would like to allow specific hosts and specific services to access my lan from the vpn client.
    So you have done this or not ? Stick to the one-way VPN connection idea.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #14
    Quote Originally Posted by Ahriakin
    It shouldn't affect your inside interface, rules you apply there should take affect. I have 4 object groups of Ports and subnets that should never pass between any clients on the firewall also another 2 listing legal inside and outside private subnets and I block all non-legal subnets access to the outside using an ACL on the inside interface with Sysopt permitting VPN traffic no the outside, works as it should (if a correctly encrypted outside subnet is not permitted as a destination on my Inside interface ACL it fails).
    I don't have a problem to filter my lan to access clients lan via vpn tunnel. The problem is that i cannot filter the clients lan to access specific hosts on specific ports on my lan.

    from -----allow specific hosts to access my lan---> to
    <client lan> ===========VPN L2L============= <my lan>
    to <------I have full access to my clients lan----- from

    The default rule when you build a vpn l2l is to permit <client lan> <my lan>

    When i use a group policy and attach it to the tunnel like :

    permit tcp host <client lan pc1> host <my lan pc1> eq 3389 it works.
    But i cannot access any pc at <client lan>.
    Putting another acl to permit this traffic simply doesn't work and gives me an error like this:

    Jan 26 2008 17:18:58 106001 192.168.0.15 172.16.10.13 Inbound TCP connection denied from 192.168.0.15/2824 to 172.16.10.13/3389 flags SYN on interface internal

    To debug this i have tried all VPN Connection types, biderectional, answer-only, originate etc.
    I have issued several access lists but this error keeps coming on...
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #15
    We are also trying to do the same thing here.

    We have site-to-site tunnel with another company.

    We want to filter site-to-site vpn tunnel traffic on our 5540 so it only has access to a specific server.

    the group policy (with vpn filter sub command) works great for remote access vpn but were trying to find a solution for L2L.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #16
    It also works for L2L Humper, but you will be unable to "see" your client side lan
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #17
    Could you give me an example of using vpn filter with a L2L tunnel?
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #18
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #19
    Thanks thats excellent!
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #20
    Let me know if you have any progress
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #21
    Guys, everything will work fine if you disable PFS aka Perfect Forward Secrecy. Ofcourse all rules work bidirectional so be carefull about what you are allowing.
    Reply With Quote Quote  

  23. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #22
    Sorry for not replying in a while, was finishing off some VPN updates of our own last week.

    The stateful security you were looking for relative to VPN endpoints as opposed to appliance interfaces is as DT said impossible, sorry I missed that on the early discussion.

    For just filtering specific traffic inside interface ACL's will do the trick.

    I'm really surprised you had different results with PFS, it doesn't affect traffic filtering/selection at all, just how the IPSEC keys are renegotiated. But if everything worked as it was supposed to we wouldn't have jobs.
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #23
    I was just amazed as you Ahriakin, i cannot imagine how PFS affects the whole config.

    I must say that all tunnels aren't cisco to cisco and i had problems establishing tunnels when i use pfs e.g a tunnel between asa and watchguard firebox.

    I can filter everything now as cisco describes.
    Reply With Quote Quote  

  25. Junior Member
    Join Date
    Apr 2008
    Posts
    2
    #24
    hi,
    i got the same prob, tunnel-group vpn-filter are assigned bidirectional. I cannot imagine pfs solved it, what about disabling sysopt and bind a incoming ACL to the outside iface, please reply.
    Reply With Quote Quote  

  26. Junior Member
    Join Date
    Apr 2008
    Posts
    2
    #25
    hi,
    i got the same prob, tunnel-group vpn-filter are assigned bidirectional. I cannot imagine pfs solved it, what about disabling sysopt and bind a incoming ACL to the outside iface, please reply.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks