topic Re: Block Outgoing VPN Access in Network Security

Block Outgoing VPN Access

dlitteer — Mon, 11 Mar 2019 10:55:52 GMT

I need to prevent the ability of visitors who connect laptops into the network and access the Internet via VPN client software. I can block regular web browsing through our Websense server, but it does not block users who initiate VPN sessions from inside the network.

Thanks for any help.

Re: Block Outgoing VPN Access

Jesterino — Thu, 09 Aug 2007 15:11:15 GMT

access-list acl_outside deny udp any any eq 500

where acl_outside is your outside access list. This will effectively stop IKE traffic from the VPN peer they are connecting to.

Alternatively, you can apply this to an inside access list, if you have one.

Re: Block Outgoing VPN Access

srue — Fri, 10 Aug 2007 07:53:36 GMT

you need to block *outgoing* connections to udp port 500. It won't do any good to block the incoming connections.

Re: Block Outgoing VPN Access

Jesterino — Fri, 10 Aug 2007 07:59:43 GMT

I'm aware of that. However in the past I have found I had to open port 500 externally on my outside access list to allow VPN connections to be made from inside my network.

Re: Block Outgoing VPN Access

dlitteer — Thu, 16 Aug 2007 12:08:03 GMT

That's the problem. We recently had a visitor that was able to bypass our security policy by connecting to the Internet from a VPN client installed on his laptop from inside our facility. I'm trying to block that in order to prevent that from happening again.

Re: Block Outgoing VPN Access

Jesterino — Thu, 16 Aug 2007 12:27:27 GMT

Correct - the VPN device they are connecting to sends ESP traffic back through your firewall on port 500/udp. I have found by blocking this port the traffic does not come back to the client on my network, which is your desired result.

Re: Block Outgoing VPN Access

rigoberto.cintron — Thu, 16 Aug 2007 13:01:19 GMT

Just block ESP and ISAKMP in your inside interface. That will take care of it.

e.g.

access-list access_inside_in extended deny ip any any 50

access-list access_inside_in extended deny udp any any 500

Re: Block Outgoing VPN Access

Jesterino — Thu, 16 Aug 2007 13:32:07 GMT

Which is something else I mentioned in my first reply!

'Alternatively, you can apply this to an inside access list, if you have one.'

In quite a few cases I have seen no inside access list, which is why I suggested the outside interface first.

Re: Block Outgoing VPN Access

rigoberto.cintron — Thu, 16 Aug 2007 13:56:20 GMT

Actually there is always an ACL apply to inside even if it is.

access-list inside_acces_in extended permit ip any any

Just insert the deny ACL's before the permits.

Re: Block Outgoing VPN Access

Jesterino — Thu, 16 Aug 2007 14:10:27 GMT

Are you sure about that? It works even without an 'access-group inside_access_in in interface inside' config line?

I do not agree with your statement.

Re: Block Outgoing VPN Access

rigoberto.cintron — Thu, 16 Aug 2007 14:21:56 GMT

Any PIX/ASA, FWSM by default will have an acl apply to the inside interface allowing all the traffic unless the user delete the acl and remove the access-group statement in the interface.

Re: Block Outgoing VPN Access

Jesterino — Thu, 16 Aug 2007 14:54:51 GMT

Incorrect.

Interfaces have a security level. The higher the number, the more 'secure' it is.

By default traffic on a higher security level interface is permitted to pass onto a lower security level interface.

This is why traffic on your inside interface (security 100) is automatically permitted to pass onto your outside interface (security 0) unless you apply an access list to it.

Re: Block Outgoing VPN Access

rigoberto.cintron — Thu, 16 Aug 2007 15:50:54 GMT

Anybody that know how the Adaptive Security Algorithm works in the PIX/ASA software knows that traffic from a higher security level will flow to a low security level without acl' or if there is no acl restricting the traffic. Still when you get the device out of the box it come with an acl apply to the inside allowing any traffic. If the device don't have an acl apply to inside it's because the user removed the acl. Which I really don't see a reason to don't have an acl in the inside of a firewall. So normally the most efficient and secure way to block traffic is blocking it in the nearest interface to the source, in this case the inside.

Re: Block Outgoing VPN Access

dlitteer — Thu, 16 Aug 2007 18:23:06 GMT

I don't know very much about this, but there are only two acl's on this device, one for NAT and one for VPN split-tunneling. I would rather block it from the inside and absolutely not effect the external vpn users coming in. Would you guys mind taking a look at the configuration if I add it with the public addresses omitted?

Re: Block Outgoing VPN Access

acomiskey — Thu, 16 Aug 2007 18:28:45 GMT

Rigoberto,

This is not correct...

access-list access_inside_in extended deny ip any any 50

access-list access_inside_in extended deny udp any any 500

It should be...

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

Re: Block Outgoing VPN Access

rigoberto.cintron — Thu, 16 Aug 2007 19:20:11 GMT

Oops

Adam your absolutely right. I've been thinking too much in IP 50 lately. Dan I believe that nobody would mind if you post the config, at least I won't.

Re: Block Outgoing VPN Access

dlitteer — Thu, 16 Aug 2007 20:06:06 GMT

Thanks so much for helping with this. I've attached the config to help clarify. I know the only two acl's on it now are for the outside interfaces only

Re: Block Outgoing VPN Access

acomiskey — Thu, 16 Aug 2007 20:46:48 GMT

Dan,

The 2 acl's you currently have are not for the outside interface. One is for nat exemption and one is for split tunneling. These are for the vpn.

If you want to stop outbound vpn then use the acl config I posted above.

Re: Block Outgoing VPN Access

me19562 — Thu, 16 Aug 2007 22:01:59 GMT

You should move from conduits to ACL's

If you move to ACL's these should be what you need.

access-list access_outside_in extended permit tcp any host X.X.X.X eq 25

access-list access_outside_in extended permit tcp any host X.X.X.X eq 80

access-list access_outside_in extended permit tcp any host X.X.X.X eq 110

access-group access_outside_in in interface outside

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

HTH

Re: Block Outgoing VPN Access

me19562 — Thu, 16 Aug 2007 22:03:54 GMT

And remember to removed the conduits.

e.g.

no conduit permit icmp any any

BTW I forgot the acl for ICMP

access-list access_outside_in extended permit icmp any any

access-list access_outside_in extended permit tcp any host X.X.X.X eq 25

access-list access_outside_in extended permit tcp any host X.X.X.X eq 80

access-list access_outside_in extended permit tcp any host X.X.X.X eq 110

access-group access_outside_in in interface outside

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

HTH