topic Re: pix - using acls on split tunnel vpn? in Network Security

pix - using acls on split tunnel vpn?

m.brentlinger — Mon, 11 Mar 2019 11:04:36 GMT

Greetings, this is my first post to this list so please forgive me if this is a silly question or Ive somehow missed an answer in searching the forum archives. I did find some similar previous questions but didnt see how I could apply them directly to my situation. So here goes...

Im familar with firewalls/vpns but not so much with cisco pix's. I have a PIX 515 running v6.1 and what I think should be a simple VPN access-list question but cant seem to figure it out

Essentially this is my layout

172.16.0.0/16 ---- pix ----- internet ---- pcs with cisco vpn client

With the following Ive enabled a split tunnel ipsec vpn for roaming clients who have a 4.x cisco vpn client and presently when the tunnel comes up all traffic is allowed from the client to the internal network

aaa-server RADIUS (inside) host 172.16.0.3 ********** timeout 5

access-list sw_vpn_clt_nonat permit ip 172.16.0.0 255.255.0.0 192.168.254.0 255.255.255.0

ip local pool sw_vpn_clt_pool 192.168.254.1-192.168.254.254

nat (inside) 0 access-list sw_vpn_clt_nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup jetvpn address-pool sw_vpn_clt_pool

vpngroup jetvpn dns-server 172.16.0.7

vpngroup jetvpn default-domain jasper.jasperengines.com

vpngroup jetvpn idle-time 7200

vpngroup jetvpn password *************

vpngroup jetvpn split-tunnel sw_vpn_clt_nonat

What Id like to do is tighten down that vpn tunnel substansially with an acl to allow only access to a few internal resources. From my simple understanding 'sysopt connection permit-ipsec' is whats allowing all traffic to pass thru the tunnel when it comes up. And sure enough if I remove that command the tunnel will come up but not allow me to pass traffic.

So at that point Im unsure where to add the ACL to allow only what I want to pass thru the VPN. It seems presently theres a dynamic acl thats built per connection, eg:

JETPIX# show crypto map

Crypto Map: "mymap" interfaces: { outside }

client configuration address initiate

client configuration address respond

client authentication RADIUS

Crypto Map "mymap" 10 ipsec-isakmp

Dynamic map template tag: dynmap

Crypto Map "mymap" 30 ipsec-isakmp

Peer = 51.28.133.45

access-list dynacl337 permit ip any host 192.168.254.30 (hitcnt=52)

dynamic (created from dynamic map dynmap/10)

JETPIX# show access-list

...

access-list dynacl337 permit ip any host 192.168.254.30 (hitcnt=52)

...

So Im prone to think I need to somehow change my 'crypto dynamic-map' command to refer to a list, but Ive had no luck with that.

Any help any one could provide would be greatly appreciated.

-Mike

Re: pix - using acls on split tunnel vpn?

acomiskey — Thu, 30 Aug 2007 21:16:29 GMT

Mike,

Thanks for the descriptive post. I hope we can help.

If you remove sysopt connection permit-ipsec you will write the access you want to allow in an outside acl like so...

access-list outside_access_in permit ip host x.x.x.1

access-list outside_access_in permit ip host x.x.x.2

etc.

access-group outside_access_in in interface outside

Option 2 would be to use split tunneling

access-list split_tunnel_acl standard permit host x.x.x.1

access-list split_tunnel_acl standard permit host x.x.x.2

vpngroup jetvpn split-tunnel split_tunnel_acl

note: I also noticed that you used the same acl for your nat 0 and your split tunnel...you should always use different acl's even if they contain the same entries.

Hope this helps.

Re: pix - using acls on split tunnel vpn?

m.brentlinger — Fri, 31 Aug 2007 13:52:40 GMT

Thanks! Thats very helpful. Ill give it a try and post my results.

I do have a question: You note I'm using the same acl for my nat 0 and split tunnel; you suggest I should always use different acl's even if they contain the same entries.

Im guessing you proposed that just so I wouldnt inadvertantly break something by making a change to an ACL that affected 2 things when I really may just want it to be a change for one? Or is there a larger reason that Im missing?

Re: pix - using acls on split tunnel vpn?

m.brentlinger — Fri, 31 Aug 2007 18:05:25 GMT

hum. no such luck, with option2; the following completely blocked all vpn client traffic, and a 'sysopt connection permit-ipsec' is all that would allow it to pass again, though my acl had no effect.

no vpngroup jetvpn split-tunnel sw_vpn_clt_nonat

access-list sw_vpn_clt_acl permit tcp 172.16.0.0 255.255.0.0 192.168.254.0 255.255.255.0

access-list sw_vpn_clt_acl permit tcp 192.168.254.0 255.255.255.0 host 172.16.0.87 eq 1494

access-list sw_vpn_clt_acl permit icmp any any

vpngroup jetvpn split-tunnel sw_vpn_clt_acl

no sysopt connection permit-ipsec

your first option worked great though... thanks very much for all your help

Re: pix - using acls on split tunnel vpn?

acomiskey — Fri, 31 Aug 2007 18:12:25 GMT

Your split tunnel acl that you tried doesn't really make sense. Which network is the remote network? 172.16 or 192.168? You also want to change tcp to ip in the first statement and you should not narrow it down to individual ports like you did in the second statement. The drawbacks of doing it that way I guess.

You have to look at it as not really creating a detailed access-list, all you are doing is defining which hosts you are allowing access to over the tunnel.

Oh, and when you do option 2 you have to leave in the sysopt command!

Glad the first option worked out. Thanks for the rating.