Our ASA 5520 firewall is running 8.0(4) IOS.
I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.
With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.
The security level on the ENG interface is set at 50.
The security level on the destination interface PRODUCTION is set at 40.
Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
Could I get a sanity check on this setup?
To me, this design seems flawed.
All comments are welcomed - PLEASE..
Not sure if I am 100% right, but VPN is considered "trusted" so configured security levels on remote ASA will have little effect.
What you can do is easy:
As protected traffic, do not specify anything you do not want to go across.
If there are port and protocols involved, you can create VPN filter (ACL) that works in both way, so that can add additional layer of security.
Also, access-group configured on interface that doesn't terminate VPN (e.g. inside) configured in OUT direction, can deny traffic. so you can place them if you want to protect parts of your network.
I noticed that when I added a new L2L VPN, the firewall IOS automatically created an ACL; is this the "VPN filter" you are referring to in your first response?
Is there any difference between the VPN filter ACL and a normal interface ACL other than where they are applied and the VPN filter encrypts permitted egress traffic?
There are several access-lists, that has completely different roles...
ACL that you use on your crypto map: that is used to define protected traffic (traffic that should be transported through the tunnel)
ACL2 that you can use for VPN-filter:
access-list 105 extended permit tcp 172.29.255.0 255.255.255.0 host 10.1.50.217 eq 3389
access-list 105 extended permit tcp 172.29.255.0 255.255.255.0 host 10.1.50.136 eq 3389
group-policy RDP attributes
This way, I used another access list to allow only RDP to my hosts from 172.29.255.0 network
ACL3 can be used on your inside interface, for traffic going to your inside network (interface inisde direction out) where you can allow which traffic will you allow into your network. That will apply for VPN and non-VPN traffic.