VPN Filtering

pr3d4t0rpr3d4t0r Member Posts: 173
Hello, i have setup a L2L VPN between asa and a linux firewall everything and everything works fine when i choose the simple setup e.g permit asa_internal_lan 0.0.0.255 linux_internal_lan 0.0.0.255.

With the default setup everyone has access to everyone. But i want to implement some filter rules in order to define interesting traffic.

e.g i want to allo specific hosts and specific ports from the linux internal lan to the asa internal lan, and from the asa side specific ip's can see all linux internal lan.

For that i have created a vpn group policy and i have applied it to the tunnel.

Here is the thing, when i create rules that permit specific hosts and specific port from the linux int lan to asa int lan, filtering works fine. ICMP works fine both ways. BUT i am unable to access anything to linux internal lan from the asa internal lan.

I get an error that i have seen before with the ident protocol 2

Jan 26 2008 17:18:58 106001 192.168.0.15 172.16.10.13 Inbound TCP connection denied from 192.168.0.15/2824 to 172.16.10.13/3389 flags SYN on interface internal

And this is where the game ends. I think i may forget something any help will be appreciated.

Thanks

Comments

  • pr3d4t0rpr3d4t0r Member Posts: 173
    Since sysopt command is global i have some issues.

    If i enable it vpn traffic bypass every ACL/ACE.
    If i disable it i have to create ACL/ACE's for every vpn connection type, roadwarrior/l2l to accomplish what i want.
    But i cannot use this solution as it would drive me crazy to maintain so many access lists.

    Using the tunnel-group peer_ip general-attributes, default-group-policy policy_name
    has some effects but not what i want.

    Is there a way to define specific access rules in a L2L VPN ?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Searching on the Cisco NetPro forums i found others having the same problem i have.

    One and the most ucceptable solution a guy gives is to put specific access rules in the other peer(not asa). Well that's ok but this doesn'w give centralized management.

    Any help, thoughts on this, would be helpfull. :)
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    While the caffeine works into my system can you give specifics on what you are trying to allow and filter (eg. all whole subnets or allow subnets and then filter specifi ports etc.?). Also are you mainly dealing with a hub in a hub/spoke configuration or simply protecting one side in particular from another?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Ahriakin,

    I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

    The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

    Of course i would like to allow specific hosts and specific services to access my lan from the vpn client.
  • pr3d4t0rpr3d4t0r Member Posts: 173
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    pr3d4t0r wrote:
    Anyone ?

    It would depend on what protocols are involved and what not. I think the solution would be more in a firewall or router and stateful filtering on the inside of the concentrator connected to the main site. I don't know of a capability in the concentrator to do this.
    The only easy day was yesterday!
  • pr3d4t0rpr3d4t0r Member Posts: 173
    The L2L VPN is between an ASA and a Linux Box IPSec. And works fine as is. The problems occurs when filtering come in. RDP, SAP, Radmin are some of the protocols that i use now. Of course there is a Domain Controller etc etc.

    I think placing some rules in the linux box may indeed solve the problem but i cannot accept that i cannot do this in the ASA side... icon_evil.gif
  • pr3d4t0rpr3d4t0r Member Posts: 173
    any thoughts ? icon_rolleyes.gif
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Sysopt lets incoming traffic on the VPN interface bypass it's incoming-access-list only. Since you're using an ASA you can apply normal security ACE's to your Inside interface's outgoing access-list to achieve the effect you want I believe - though I haven't tried this, we have ASA's/PIX's at each Site so I just put the security filters on their Inside interface-IN ACL's (blocking known malware ports, bogon nets etc.), this also saves a bit on bandwidth since the traffic is dropped before going over our tunnel.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Well it seems that sysopt permits in and out traffic. I 've tested it and i cannot filter anything, everything passes...
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    It shouldn't affect your inside interface, rules you apply there should take affect. I have 4 object groups of Ports and subnets that should never pass between any clients on the firewall also another 2 listing legal inside and outside private subnets and I block all non-legal subnets access to the outside using an ACL on the inside interface with Sysopt permitting VPN traffic no the outside, works as it should (if a correctly encrypted outside subnet is not permitted as a destination on my Inside interface ACL it fails).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    pr3d4t0r wrote:
    Ahriakin,

    I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

    The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

    Of course i would like to allow specific hosts and specific services to access my lan from the vpn client.

    So you have done this or not ? Stick to the one-way VPN connection idea.
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Ahriakin wrote:
    It shouldn't affect your inside interface, rules you apply there should take affect. I have 4 object groups of Ports and subnets that should never pass between any clients on the firewall also another 2 listing legal inside and outside private subnets and I block all non-legal subnets access to the outside using an ACL on the inside interface with Sysopt permitting VPN traffic no the outside, works as it should (if a correctly encrypted outside subnet is not permitted as a destination on my Inside interface ACL it fails).

    I don't have a problem to filter my lan to access clients lan via vpn tunnel. The problem is that i cannot filter the clients lan to access specific hosts on specific ports on my lan.

    from
    allow specific hosts to access my lan---> to
    <client lan> ===========VPN L2L============= <my lan>
    to <
    I have full access to my clients lan
    from

    The default rule when you build a vpn l2l is to permit <client lan> <my lan>

    When i use a group policy and attach it to the tunnel like :

    permit tcp host <client lan pc1> host <my lan pc1> eq 3389 it works.
    But i cannot access any pc at <client lan>.
    Putting another acl to permit this traffic simply doesn't work and gives me an error like this:

    Jan 26 2008 17:18:58 106001 192.168.0.15 172.16.10.13 Inbound TCP connection denied from 192.168.0.15/2824 to 172.16.10.13/3389 flags SYN on interface internal

    To debug this i have tried all VPN Connection types, biderectional, answer-only, originate etc.
    I have issued several access lists but this error keeps coming on...
  • HumperHumper Member Posts: 647
    We are also trying to do the same thing here.

    We have site-to-site tunnel with another company.

    We want to filter site-to-site vpn tunnel traffic on our 5540 so it only has access to a specific server.

    the group policy (with vpn filter sub command) works great for remote access vpn but were trying to find a solution for L2L.
    Now working full time!
  • pr3d4t0rpr3d4t0r Member Posts: 173
    It also works for L2L Humper, but you will be unable to "see" your client side lan :)
  • HumperHumper Member Posts: 647
    Could you give me an example of using vpn filter with a L2L tunnel?
    Now working full time!
  • HumperHumper Member Posts: 647
    Thanks thats excellent!
    Now working full time!
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Let me know if you have any progress :)
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Guys, everything will work fine if you disable PFS aka Perfect Forward Secrecy. Ofcourse all rules work bidirectional so be carefull about what you are allowing.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Sorry for not replying in a while, was finishing off some VPN updates of our own last week.

    The stateful security you were looking for relative to VPN endpoints as opposed to appliance interfaces is as DT said impossible, sorry I missed that on the early discussion.

    For just filtering specific traffic inside interface ACL's will do the trick.

    I'm really surprised you had different results with PFS, it doesn't affect traffic filtering/selection at all, just how the IPSEC keys are renegotiated. But if everything worked as it was supposed to we wouldn't have jobs.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    I was just amazed as you Ahriakin, i cannot imagine how PFS affects the whole config.

    I must say that all tunnels aren't cisco to cisco and i had problems establishing tunnels when i use pfs e.g a tunnel between asa and watchguard firebox.

    I can filter everything now as cisco describes. :D
  • ciscoasaciscoasa Member Posts: 2 ■□□□□□□□□□
    hi,
    i got the same prob, tunnel-group vpn-filter are assigned bidirectional. I cannot imagine pfs solved it, what about disabling sysopt and bind a incoming ACL to the outside iface, please reply.
  • ciscoasaciscoasa Member Posts: 2 ■□□□□□□□□□
    hi,
    i got the same prob, tunnel-group vpn-filter are assigned bidirectional. I cannot imagine pfs solved it, what about disabling sysopt and bind a incoming ACL to the outside iface, please reply.
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Tell us exactly what you have done.
Sign In or Register to comment.