topic Allow only one host access to VPN site to site tunnel in Network Security

Allow only one host access to VPN site to site tunnel

ubergeek1 — Mon, 11 Mar 2019 23:13:05 GMT

Hello,

I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up? Any code examples would be great. Thanks

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Wed, 30 May 2012 03:57:20 GMT

Pls share your existing configuration to understand your topology. Where is this 172.16.33.x network connected to?

Allow only one host access to VPN site to site tunnel

ubergeek1 — Wed, 30 May 2012 14:29:18 GMT

Hi Jennifer,

Thank you for your reply. Here is what I have, please excuse my rudimentray drawing:

[HOST 172.16.33.x]---------VLAN------------[3750G]------------------------[ASA 5510]

The entire network is a 192.168.5.x network space. The vlan is the only subnet in the 172.16.33.x range with one host connected.

Thanks

Allow only one host access to VPN site to site tunnel

nikolamitev — Wed, 30 May 2012 14:49:49 GMT

From this diagram it looks like your 3750 is terminating the vlan and doing the routing between the two vlans?

Allow only one host access to VPN site to site tunnel

ubergeek1 — Wed, 30 May 2012 14:57:45 GMT

Yes that is correct. I currently do not have a vlan on the ASA.

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Wed, 30 May 2012 21:22:58 GMT

On the ASA, you would need to have the following configured:

1) Route for 172.16.33.x towards the 3750G 192.168.5.x ip address.

2) VPN crypto ACL should include the 172.16.33.x host/network

3) NAT exemption also need to include the 172.16.33.x host/network

On the remote end, you would need to have a mirror image crypto acl that include the 172.16.33.x as well. NAT exemption on the remote end should also include that.

If you can share your config from both ends, I can assist to incorporate that into your existing configuration.

Allow only one host access to VPN site to site tunnel

ubergeek1 — Fri, 01 Jun 2012 03:53:14 GMT

Hi Jennifer,

Here is the ASA config:

ASA Version 8.2(1)

hostname fw

domain-name xxxxx

enable password k4HlcGX2lC1ypFOm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.75.254 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 192.168.75.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxxxxxxxxxxxxx

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www

access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (management) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255

static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255

static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group DMZtoInside in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:e6f986d4427

504d675bb1

ca51a81534

: end

Thanks

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Fri, 01 Jun 2012 04:35:00 GMT

I don't see any VPN configuration on this ASA. Are you terminating the VPN somewhere else?

Allow only one host access to VPN site to site tunnel

ubergeek1 — Sat, 02 Jun 2012 01:02:57 GMT

Hi Jennifer,

My apologies, I should have clarified. Currently there are no VPN configurations on this ASA. After I am done with this tunnel, I plan to migrate several other tunnels that now terminate on a old PIX 515 to this ASA. I don't have access to the other side but this is what they require:

IKE => 3DES/SHA/DH2
IPSEC => 3DES/SHA - no PFS

Local network: 198.xx.xxx.xx (their svr address)
Remote network: 172.xx.xx.xx (will need to translate into this
address.)

Thanks

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Sat, 02 Jun 2012 03:14:35 GMT

The configuration on the ASA version 8.2.1 is the same as your PIX. The only difference is the pre-shared key is now configured under the tunnel-group configuration. Other than that, all the config is pretty much the same.

Do you actually have 172.16.33.x configured on your host/network? or you actually need to translate your internal subnet to 172.16.33.x when accessing the remote LAN?

Allow only one host access to VPN site to site tunnel

ubergeek1 — Sat, 02 Jun 2012 04:40:41 GMT

I dont have a 172.16.33.x on my internal network, I would need to translate the host on my internal network to the 172.16.33.x when accessing the remote LAN. I also want only the one host to access the remote LAN.

I looked at the PIX config for the site2site VPNs that I will have to migrate eventually and here is what I have:

crypto map ch-vpn 20 ipsec-isakmp
crypto map ch-vpn 20 match address encrypt-location
crypto map ch-vpn 20 set peer xx.xx.xx.xx
crypto map ch-vpn 20 set transform-set ch-strong

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

All I need is an access-list and a route inside and outside to add to the above to migrate each one over. I have 6 site2site VPNs to migrate, so the crypto map starts at 10 and ends at 60, however the isakmp policy starts at 10 and ends at 20. Shouldn't I have a isakmp policy for each crypto map entry? Thanks

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Sat, 02 Jun 2012 05:27:30 GMT

No, you don't need 1 isakmp policy for each crypto map entry. The isakmp policy needs to be listed so it can be negotiated with the remote end as long as there is a match policy. It will go down the list of isakmp policies configured until a match is found.

If you want to NAT your internal network to 172.16.33.x when going to the remote end, here is the NAT statement:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

The crypto ACL will say:

access-list crypto-acl permit ip host 172.16.33.x

Allow only one host access to VPN site to site tunnel

ubergeek1 — Tue, 05 Jun 2012 02:22:44 GMT

Hi Jennifer,

What do you think of this:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

route outside [Public IP of Remote Network] 255.255.255.255 {Public IP of my ASA] 1

route outside 172.XX.XX.XX 255.255.255.0 [ASA Default Gateway] 1

crypto map ch-vpn 60 ipsec-isakmp

crypto map ch-vpn 60 match address encrypt-tran

crypto map ch-vpn 60 set peer xx.xx.xx.xx

crypto map ch-vpn 60 set transform-set ch-strongcrypto map ch-vpn 60 ipsec-isakmp
crypto map ch-vpn 60 match address encrypt-tran
crypto map ch-vpn 60 set peer xx.xx.xx.xx
crypto map ch-vpn 60 set transform-set ch-strong

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

Would it be easier to place this host in its own subnet (172.16.33.xx) in a vlan off the switch and point it to the ASA as the default gateway for the remote network?

Thanks for all your help on this Jennifer!

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Tue, 05 Jun 2012 02:28:48 GMT

You don't need to configure the following 2 routes as it would just route via your ASA default gateway:

route outside [Public IP of Remote Network] 255.255.255.255 {Public IP of my ASA] 1

route outside 172.XX.XX.XX 255.255.255.0 [ASA Default Gateway] 1

It's probably easier to configure those NAT statement on the ASA because even if you place it on its own VLAN, you still need to configure:

1) route on the ASA to point the 172.x.x.x network back off your ASA inside interface

2) NAT exemption on your ASA

While with the NAT statement advised earlier, those are all you need, no need to configure static route on the ASA.

Allow only one host access to VPN site to site tunnel

ubergeek1 — Tue, 05 Jun 2012 02:37:06 GMT

So all I need then is:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

access-list crypto-acl permit ip host 172.16.33.x

crypto map ch-vpn 60 ipsec-isakmp

crypto map ch-vpn 60 match address encrypt-tran

crypto map ch-vpn 60 set peer xx.xx.xx.xx

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

Does that look right?

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Tue, 05 Jun 2012 02:41:45 GMT

yup, looks good to me, except the crypto key should be configured under tunnel-group:

tunnel-group type ipsec-l2l

tunnel-group ipsec-attribute

pre-shared-key

BTW, you've copied the crypto map section twice

Allow only one host access to VPN site to site tunnel

ubergeek1 — Tue, 05 Jun 2012 02:44:58 GMT

LOL yup, getting late here and I am at a security con and had a few brews I will let you know my results when I get back to the office. Thanks again I REALLY appreciate it!

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Tue, 05 Jun 2012 02:50:58 GMT

No worries, have fun!!

Allow only one host access to VPN site to site tunnel

ubergeek1 — Sat, 30 Jun 2012 02:02:12 GMT

Hi Jennifer,

I finally got a chance to work on this. I have the tunnel up if traffic is sent from the remote network, however if I try to send traffic from my internal lan to the remote network over the VPN the tunnel does not come up. I did notice one thing, I added the nat (inside) 5 172.18.13.x and a sh xlate showed that 192.168.5.40 was patted to this address, but then the nat statement disappeared. It could have happened when I deleted one of the acl's and reentered it. So the tunnel works but I cannot send any traffic, something is blocking me. Below is the current config:

ASA Version 8.2(1)
!
hostname xxxx
domain-name xxxxxxxxxxxxxxxxxxxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.xxx.xxx.xx 255.255.255.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.xxx.xxx 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 192.168.75.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxxxxxxx
access-list outside_access_in remark Permit traffic from Internet to web server
access-list outside_access_in extended permit tcp any host 12.xxx.xxx.xx eq www
access-list outside_access_in extended permit udp any host 12.xxx.xxx.xx eq 5008
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.15 eq 1433
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.15 eq www
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0 log
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.14 eq 8080
access-list crypto-acl extended permit ip host 172.18.13.xx host 198.xx.xxx.xxx
access-list nat-to-remote extended permit ip host 192.168.5.40 host 198.xx.xxx.xxx
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 5 172.18.13.xx
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 12.xxx.xxx.xx www 192.168.75.5 www netmask 255.255.255.255
static (DMZ,outside) tcp 12.xxx.xxx.xx https 192.168.75.5 https netmask 255.255.255.255
static (inside,outside) udp 12.xxx.xxx.xx 5008 172.16.32.xxx 5008 netmask 255.255.255.255
static (inside,DMZ) 192.168.5.15 192.168.5.15 netmask 255.255.255.255
static (inside,DMZ) 192.168.5.14 192.168.5.14 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
route outside 0.0.0.0 0.0.0.0 12.xxx.xxx.xx 1
route inside 172.16.32.0 255.255.255.0 172.16.85.253 1
route inside 192.168.5.14 255.255.255.255 172.16.85.253 1
route inside 192.168.5.15 255.255.255.255 172.16.85.253 1
route outside 198.xx.xxx.0 255.255.255.0 12.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 set peer 198.xx.xxx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server management 192.168.1.3 ASA5510_6182012
webvpn
group-policy DfltGrpPolicy attributes
tunnel-group 198.xx.xxx.xx type ipsec-l2l
tunnel-group 198.xx.xxx.xx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:768046cea800ceb4700b9641a70cc380
: end
asdm location 192.168.5.0 255.255.255.0 inside
asdm location 172.18.13.xx 255.255.255.255 inside

no asdm history enable

Allow only one host access to VPN site to site tunnel

Jennifer Halim — Sat, 30 Jun 2012 02:59:23 GMT

If you want to initiate the tunnel from both end, then you need to configure static policy NAT instead.

Base on your latest config, here is to be added:

no global (outside) 5 172.18.13.xx

static (inside,outside) 172.18.13.xx access-list nat-to-remote

Then "clear xlate".