IOS Site-To-Site VPN Questions
_maurice
Member Posts: 142
Hi there! I have a site-to-site vpn between an 871 running 12.4 and an ASA 5505 running 8.2. The 871 LAN is 1.0.0.0/8 and the ASA 5505 LAN is 2.0.0.0/8. I currently trust all traffic over the vpn tunnel between the two LANs. Since the 871 is using the zone-based-firewall, I had to create inspection rules in the wan-to-lan policy to allow ip traffic from the remote LAN.
The problem is that allowing all ip traffic from the 2.0.0.0/8 network to the 1.0.0.0/8 network from wan-to-lan is a large security risk. This opens the 871 to allow ip traffic from a spoofed source address (in the 2.0.0.0/8 subnet) to come into my LAN.
I am posting my relevant config below. Per a cisco document, a workaround would be to use a vpn tunnel type that uses a virtual tunnel interface (VTI). However, I don't think the ASA supports that.
class-map type inspect match-all remote-lan-class
match access-group name remote-lan
class-map type inspect match-any wan-to-self-class
match access-group name wan-in
policy-map type inspect wan-to-lan-policy
class type inspect remote-lan-class
inspect
class class-default
drop
policy-map type inspect wan-to-self-policy
class type inspect wan-to-self-class
inspect
class class-default
drop log
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
zone-pair security wan-to-self source wan destination self
service-policy type inspect wan-to-self-policy
ip access-list extended remote-lan
permit ip 2.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255
ip access-list extended wan-in
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any
The cisco documentation relating to this issue is here: Using VPN with Zone-Based Policy Firewall [Cisco IOS Firewall] - Cisco Systems
Can someone please confirm the security risk I mention? Is using an Easy VPN the only solution, as this uses a VTI?
The problem is that allowing all ip traffic from the 2.0.0.0/8 network to the 1.0.0.0/8 network from wan-to-lan is a large security risk. This opens the 871 to allow ip traffic from a spoofed source address (in the 2.0.0.0/8 subnet) to come into my LAN.
I am posting my relevant config below. Per a cisco document, a workaround would be to use a vpn tunnel type that uses a virtual tunnel interface (VTI). However, I don't think the ASA supports that.
class-map type inspect match-all remote-lan-class
match access-group name remote-lan
class-map type inspect match-any wan-to-self-class
match access-group name wan-in
policy-map type inspect wan-to-lan-policy
class type inspect remote-lan-class
inspect
class class-default
drop
policy-map type inspect wan-to-self-policy
class type inspect wan-to-self-class
inspect
class class-default
drop log
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
zone-pair security wan-to-self source wan destination self
service-policy type inspect wan-to-self-policy
ip access-list extended remote-lan
permit ip 2.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255
ip access-list extended wan-in
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any
The cisco documentation relating to this issue is here: Using VPN with Zone-Based Policy Firewall [Cisco IOS Firewall] - Cisco Systems
Can someone please confirm the security risk I mention? Is using an Easy VPN the only solution, as this uses a VTI?
Comments
-
_maurice Member Posts: 142As a follow up to my post last week...
I think the "security risk" I mentioned earlier doesn't exist. My understanding is that since the crypto map is applied to the outside interface, the interface will only accept this "interesting traffic" when it is encrypted... If the "interesting traffic" does not match the crypto map, it gets dropped.