topic Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn" in Network Security

Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

Michael Greaves — Tue, 10 Dec 2019 12:21:28 GMT

My question is how we allow VPN traffic via the outside interface but block internet traffic that happens to have the same source address as the remote VPN network ?

If you disable the bypassing of interface access lists on an ASA using the "no sysopt connection permit-vpn" command how should the ACLs be applied on the outside interface to only allow VPN traffic and not traffic from the internet. Example:-

Local Network Company A: 12.10.1.0/24

Remote Network Company B: 13.10.1.0/24

We apply an ACL on the outside interface allowing network 13.10.1.0/24 to access 12.10.1.0/24 over the VPN. But what would stop a network 13.10.1.0/24 on the internet also accessing 12.10.1.0/24. Assume that Company B is using 13.10.1.0/24 as its internal address range but a genuine external network also exists with the same IP network. How do we differentiate between the VPN network and the external internet based network ?

Thanks

Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

gerald.scott — Tue, 10 Dec 2019 18:30:10 GMT

What I have seen in production environments is leaving the SYSOPT in place and restricting traffic using VPN Filter lists.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

Michael Greaves — Thu, 12 Dec 2019 10:57:29 GMT

Sure yes, I'm also aware of that method but what if we don't want to use this option, so we have complete control of the VPN access. How will this affect the incoming internet traffic ?

Anybody considered this ?

Thanks

Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

Michael Greaves — Tue, 17 Dec 2019 11:09:37 GMT

Anybody any thoughts are this please ? Any feedback greatly appreciated.

Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

gerald.scott — Wed, 18 Dec 2019 01:26:01 GMT

Based on your scenario, there are two organizations using non RFC 1918 address space, that they don't own, as their internal address space. In my experience, this is extremely unlikely to happen, and as such I don't have an answer to your question. Good luck in your search.

Re: Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

Michael Greaves — Wed, 18 Dec 2019 11:17:49 GMT

Thanks for your input Gerald. Really keen to hear other people's views as well.