topic Re: FTD Site to Site VPN access control policy in Network Security

FTD Site to Site VPN access control policy

Andy Infante — Fri, 21 Feb 2020 15:55:43 GMT

When building the site to site VPN in FTD/FMC where does the tunnel endpoint exist (what zone)?

For example, in Palo Alto, a tunnel can be placed into it's own zone and the access control policy uses that zone to send traffic to or receive from a remote site that is associated with that tunnel.

In FTD, how do you associate a tunnel zone to a vpn or associate a vpn with a zone to write the rules in the access control policy?

In the document here (https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.pdf)

there is a section that says in the vpn configuration that "access control lists will be generated from the choices made here (in the Protected networks config)". Where are those ACLs? Does that mean that rules don't need to be written in the access control policy?

Re: FTD Site to Site VPN access control policy

Andy Infante — Thu, 05 Jul 2018 23:02:15 GMT

No one knows the answer??

Re: FTD Site to Site VPN access control policy

Marvin Rhoads — Fri, 06 Jul 2018 03:13:53 GMT

The ACLs they refer to are the ones used in the cryptomap. The underlying logic is almost exactly the same as on an ASA as this feature is using the Lina subsystem.

I don't believe you can (currently as of Firepower 6.2.3) further restrict the access with additional ACLs (e.g. as you would do with vpn-filter on a traditional ASA) once you allow the addresses to communicate as part of your site-site VPN

Re: FTD Site to Site VPN access control policy

Andy Infante — Fri, 06 Jul 2018 14:24:02 GMT

So what you are saying is once the VPN is built using the FMC GUI it's "done?" There's no other configurations, no ACLs to build associated with a tunnel, etc...?

What is the purpose, are you aware, of the "tunnel" zone?

Andy

Re: FTD Site to Site VPN access control policy

Tobias Hilbert — Wed, 05 Sep 2018 15:30:51 GMT

Hi Marvin

To my understanding you need to add a Rule to the Acces Control Policy to allow traffic through the tunnel (if not set the "Bypass Access Control policy for decrypted traffic" option)

Since i am not able to to select another specific criteria for VPN i am also allowing traffic coming from outside (when vpn tunnel is not up) with this rule don't I?

kind regards

Tobias

Re: FTD Site to Site VPN access control policy

Marvin Rhoads — Wed, 05 Sep 2018 17:44:03 GMT

@Tobias Hilbert

The ACP rule for a site-site VPN is only allowing the remote site subnet(s) inbound, not any other random traffic from outside.

Re: FTD Site to Site VPN access control policy

Tobias Hilbert — Thu, 06 Sep 2018 09:36:07 GMT

Hi Marvin

I am not shure how to make sure that the rule only matches the Traffic coming from the VPN Tunnel.

If I add the rule based on Source Network and Destination Network, The rule would also match traffic coming unencrypted from the outside interface if the Source and destiantion matches. I would like to add a "source zone" like "VPN" to the rule but that is not available. The eventviewer shows the decrypted vpn packet coning from INTERNET Zone.

Now if i decommision the vpn or the tunnel might not be up i think the FW is accepting Packet with the correct SRC / DST coming from the INNTERNET Zone thus the Outside?

I am looking for a configuration option to tie that APC to the VPN besides SRC / DST IP

kind regards

Tobias

Re: FTD Site to Site VPN access control policy

Tobias Hilbert — Thu, 06 Sep 2018 09:54:32 GMT

Hi Marvin

Sorry for bothering 🙂

I found the solution.

There is a option to assign a VPN Session to a "tunnel-zone" through a prefilter policy rule.

This tunnel-zone is then available as a ZONE object in the ACP

kind regards

Tobias

Re: FTD Site to Site VPN access control policy

Marvin Rhoads — Thu, 06 Sep 2018 09:59:57 GMT

Is the remote protected network using public IP addresses internally? How about your internal network?

Normally the ACP says allow remote private network to local private network. If they are both RFC 1918 spaces then there's no way you should see other incoming traffic with that destination.

Re: FTD Site to Site VPN access control policy

Tobias Hilbert — Tue, 18 Sep 2018 21:33:03 GMT

Hi Marvin,

well if you trust your service provider that is true.

But if the service provider uses a RFC1918 Networks within his Backbone (actually I have already had a case where our Firewall learned 10.0.0.0/8 subnets over OSPF from a ISP) he might then be able to pass the firewall if the tunnel is down.

I played around with the Prefilter and Tunnel Tag but that is not working as expected. I thought it did but alter the upgrade to 6.2.3.5 its not working anymore.

Only a rule like 10.10.10.0/24 10.20.20.20/24 port 443 without any other argument lets the traffic pass.

I am wondering whats the best practice for a Site2Site tunnel on FTD.

kind regards

Tobias