Hi there! I have a site-to-site vpn between an 871 running 12.4 and an ASA 5505 running 8.2. The 871 LAN is 1.0.0.0/8 and the ASA 5505 LAN is 2.0.0.0/8. I currently trust all traffic over the vpn tunnel between the two LANs. Since the 871 is using the zone-based-firewall, I had to create inspection rules in the wan-to-lan policy to allow ip traffic from the remote LAN.
The problem is that allowing all ip traffic from the 2.0.0.0/8 network to the 1.0.0.0/8 network from wan-to-lan is a large security risk. This opens the 871 to allow ip traffic from a spoofed source address (in the 2.0.0.0/8 subnet) to come into my LAN.
I am posting my relevant config below. Per a cisco document, a workaround would be to use a vpn tunnel type that uses a virtual tunnel interface (VTI). However, I don't think the ASA supports that.
class-map type inspect match-all remote-lan-class
match access-group name remote-lan
class-map type inspect match-any wan-to-self-class
match access-group name wan-in
policy-map type inspect wan-to-lan-policy
class type inspect remote-lan-class
inspect
class class-default
drop
policy-map type inspect wan-to-self-policy
class type inspect wan-to-self-class
inspect
class class-default
drop log
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
zone-pair security wan-to-self source wan destination self
service-policy type inspect wan-to-self-policy
ip access-list extended remote-lan
permit ip 2.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255
ip access-list extended wan-in
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any
The cisco documentation relating to this issue is here:
Using VPN with Zone-Based Policy Firewall [Cisco IOS Firewall] - Cisco Systems
Can someone please confirm the security risk I mention? Is using an Easy VPN the only solution, as this uses a VTI?
