topic Re: Trouble restricting client VPN access in Network Security

Trouble restricting client VPN access

Rex Biesty — Mon, 11 Mar 2019 10:19:50 GMT

I'm trying to restrict a VPN client so that it can only access one device behind our firewall. I have implemented the following commands

ip local pool SCS_Nant_Pool 10.10.99.1 mask 255.255.255.255

tunnel-group SCS_Nant_Support type ipsec-ra

tunnel-group SCS_Nant_Support general-attributes

address-pool SCS_Nant_Pool

tunnel-group SCS_Nant_Support ipsec-attributes

pre-shared-key *******

access-list nonat extended permit ip host 128.6.100.112 host 10.10.99.1

where 128.6.100.112 is the device I want sole access of. When I connect I receive IP address 10.10.99.1 OK but cannot ping or connect to 128.6.100.112. If I use a different tunnel group I can access everything fine. Command for the working group are

ip local pool Vpn-Pool 128.7.0.1-128.7.0.100 mask 255.255.0.0

tunnel-group ras type ipsec-ra

tunnel-group ras general-attributes

address-pool Vpn-Pool

tunnel-group ras ipsec-attributes

pre-shared-key ********

access-list nonat extended permit ip LOCAL_NET 255.255.0.0 CSG_WAN 255.255.255.0

access-list nonat extended permit ip LOCAL_NET 255.255.0.0 host ICCHOST

access-list nonat extended permit ip LOCAL_NET 255.255.0.0 10.0.0.0 255.252.0.0

access-list nonat extended permit ip host 128.6.100.112 CSG_WAN 255.255.255.0

access-list nonat extended permit ip host 128.6.100.112 10.0.0.0 255.255.0.0

access-list nonat remark nat 0 for remote vpn users

access-list nonat extended permit ip any 128.7.0.0 255.255.0.0

access-list nonat extended permit ip host 128.6.100.112 10.1.0.0 255.255.0.0

I have used this method before on firewalls running 6.3 without issue but this firewall (running v7) is not working.

Any help would be greatly appreciated.

Thanks

Rex

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 12:54:41 GMT

The subnet mask/network is wrong here.

access-list nonat extended permit ip host 128.6.100.112 10.0.0.0 255.255.0.0

should be 10.0.0.0 255.0.0.0 or 10.10.0.0 255.255.0.0

or change this one to 10.10.0.0

access-list nonat extended permit ip host 128.6.100.112 10.1.0.0 255.255.0.0

please rate if it helps

Re: Trouble restricting client VPN access

Rex Biesty — Thu, 24 May 2007 13:36:59 GMT

Thanks for the reply. I removed that line completely as it doesn't relate to anything I'm doing but it's made no difference. I've attached my config if it helps.

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 13:48:05 GMT

In what you originally posted you had no statement in your nat0 acl for the traffic in question, 128.6.100.112 to 10.10.0.0. I posted the statement to add to correct the issue. It appears you have added the following instead which is fine.

access-list nonat extended permit ip host TALENT_SERVER host 10.10.99.1

This should have done the trick.

Re: Trouble restricting client VPN access

Rex Biesty — Thu, 24 May 2007 14:01:17 GMT

I dont think I worded my original request very well, sorry for that. The config I sent is what is currently running on the Pix but I'm not getting any access.

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 14:16:33 GMT

Any logs on the ASA when you are trying the connection? It appears your split tunnel policy should tunnel all or tunnel your local lan so that should be ok. Nat exemption is ok, acl's aren't a problem. Make sure there is no other route to 10.10.0.0 other than ASA.

Re: Trouble restricting client VPN access

palomoj — Thu, 24 May 2007 14:20:24 GMT

Have you punched a hole in the ACL bound to the inside interface?

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 14:22:50 GMT

^^ sysopt conn permit-ipsec takes care of that.

Re: Trouble restricting client VPN access

Rex Biesty — Thu, 24 May 2007 14:24:11 GMT

The only comments I've added are those listed at the beginning of my first post. However, my colleague (god bless him) may have. I think he tried to sort this out himself before enlisting my help (without any knowledge of Pix's). Alas I cannot contact him at the moment.

Re: Trouble restricting client VPN access

palomoj — Thu, 24 May 2007 14:28:27 GMT

It takes care of the vpn traffic coming into the outside interface but it doesn't help the traffic initiated from the inside interface.

And your command doesn't apply to 7.x code. Its sysopt connection permit-vpn now.

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 14:33:57 GMT

It's only permit-vpn in 7.1 and 7.2. He's running 7.0.

And his original post was attempting to access the inside server, not trying to access the client from the server, that's why I assumed he didn't have to worry about the inside acl. Good pickup though.

Re: Trouble restricting client VPN access

palomoj — Thu, 24 May 2007 14:43:30 GMT

addressing the inside ACL will restrict the traffic however you want to look at it whether its client to server or server to client.

good catch on the 7.0 version

Re: Trouble restricting client VPN access

acomiskey — Thu, 24 May 2007 14:45:38 GMT

I agree, I assumed it was client to server from the above...

"cannot ping or connect to 128.6.100.112"

Re: Trouble restricting client VPN access

Rex Biesty — Fri, 25 May 2007 07:40:49 GMT

It is client to server (i.e. I'm sat at the client machine with VPN connected trying to ping 128.6.100.112 on the remote network - and failing).

Re: Trouble restricting client VPN access

palomoj — Fri, 25 May 2007 15:03:20 GMT

access-list nonat extended permit ip host 128.6.100.112 host 10.10.99.1

Re: Trouble restricting client VPN access

acomiskey — Fri, 25 May 2007 15:09:50 GMT

Palomoj,

Yes you are correct but he already has added

access-list nonat extended permit ip host TALENT_SERVER host 10.10.99.1

Shouldn't that work as well?

Re: Trouble restricting client VPN access

palomoj — Fri, 25 May 2007 15:14:58 GMT

I forgot about that entry. I don't see an outbound ACL hole for these two hosts.

access-list inside_out extended permit tcp host TALENT_SERVER host 10.10.99.1

Re: Trouble restricting client VPN access

Rex Biesty — Thu, 31 May 2007 08:00:06 GMT

Thanks for all your help. I took your advice and added the line

access-list inside_out extended permit ip host TALENT_SERVER host 10.10.99.1

and all is working fine now.

Re: Trouble restricting client VPN access

acomiskey — Thu, 31 May 2007 18:53:15 GMT

palomoj, I still don't get why this worked as he was initiating traffic from the remote end. The sysopt command would allow this traffic back out without the need for the acl right?

Re: Trouble restricting client VPN access

palomoj — Thu, 31 May 2007 19:09:03 GMT

The sysopt will permit the remote client vpn traffic to terminate and enter the outside interface without an outside ACL explicitly or implicitly permitting the traffic.

The inside ACL was denying the return (and initiating) traffic from the inside host to the remote VPN client.

HTH