Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
4
Replies

VPN traffic between interfaces

fsebera
Level 4
Level 4

‎06-13-2011 12:26 PM - edited ‎03-11-2019 01:44 PM

Our ASA 5520 firewall is running 8.0(4) IOS.

I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.

With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.

The security level on the ENG interface is set at 50.

The security level on the destination interface PRODUCTION is set at 40.

:

Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).

:

Could I get a sanity check on this setup?

To me, this design seems flawed.

All comments are welcomed - PLEASE..

:

Tks

Frank

Labels:
0 Helpful
4 Replies 4

mile.ljepojevic
Level 1
Level 1

‎06-13-2011 02:18 PM

Not sure if I am 100% right, but VPN is considered "trusted" so configured security levels on remote ASA will have little effect.

What you can do is easy:

first:

As protected traffic, do not specify anything you do not want to go across.

If there are port and protocols involved, you can create VPN filter (ACL) that works in both way, so that can add additional layer of security.

0 Helpful

mile.ljepojevic
Level 1
Level 1
In response to mile.ljepojevic

‎06-13-2011 05:41 PM

Also, access-group configured on interface that doesn't terminate VPN (e.g. inside) configured in OUT direction, can deny traffic. so you can place them if you want to protect parts of your network.

0 Helpful

fsebera
Level 4
Level 4
In response to mile.ljepojevic

‎06-14-2011 05:46 AM

I noticed that when I added a new L2L VPN, the firewall IOS automatically created an ACL; is this the "VPN filter" you are referring to in your first response?

:

Is there any difference between the VPN filter ACL and a normal interface ACL other than where they are applied and the VPN filter encrypts permitted egress traffic?

:

Thanks again

Frank

0 Helpful

mile.ljepojevic
Level 1
Level 1
In response to fsebera

‎06-14-2011 07:36 AM

Not quite...

There are several access-lists, that has completely different roles...

ACL that you use on your crypto map: that is used to define protected traffic (traffic that should be transported through the tunnel)

ACL2 that you can use for VPN-filter:

access-list 105 extended permit tcp 172.29.255.0 255.255.255.0 host 10.1.50.217 eq 3389

access-list 105 extended permit tcp 172.29.255.0 255.255.255.0 host 10.1.50.136 eq 3389

group-policy RDP attributes

vpn-filter 105

This way, I used another access list to allow only RDP to my hosts from 172.29.255.0 network

ACL3 can be used on your inside interface, for traffic going to your inside network (interface inisde direction out) where you can allow which traffic will you allow into your network. That will apply for VPN and non-VPN traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card