03-28-2013 11:05 AM - edited 02-21-2020 06:47 PM
Hi Guys,
Perhaps I can research this over and would find an answer, but this is kinda urgent. Hopefully someone can help me, and then I'll make further research afterwards.
Here's the scenario:
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default).
Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default? Or is there anything we need to do other than the ones I've mentioned?
Thanks in advance.
03-28-2013 11:29 AM
Class default is used to "inspect" traffic. By default it will not block "anything".
1- If you configure the VPN the ASA will acept connections for protocols and ports needed on the interface you enable the VPN. "isakmp enable outside"
2- The clients connecting to the VPN will have full access to whatever network you specify on split tunnel or all networks if you dont configure split tunnel. This is the default behavior.
You can change that with the "no sysopt connection permit-vpn" - IF you apply this command, all traffic, including vpn traffic will be evaluated by the interface access-list where the pack is coming.
The best way to filter what they can access within the VPN, without the need to use interface access-list is to use filter.
This is in the group-policy mode configuration.
vpn-filter value [access-list name]
03-28-2013 02:31 PM
okay. so my question goes like, does the class-default inspect ipsec remote access or ssl vpn remote access? just like icmp, by default, it's not inspected so if you don't tweak the class-default, it wouldn't allow icmp on the data plane, right? the devices behind our firewall are the vpn clients which connects to the vpn server on the other site.
03-30-2013 01:53 AM
Hi,
If we look at the transport level, which seems the issue for you, we see:
Traffic originated from IPsec VPN clients is UDP, ESP, and can turn to ESP over UDP if PAT exists on the way to the VPN gateway.
Traffic originated from SSL VPN clients is TCP and UDP
assuming your clients are at the inside, the VPN traffic should be inspected by default unless you have some custom access-rules that change the behaviour.
Hope this helps.
------------------
Mashal Alshboul
03-30-2013 01:54 PM
thanks. we don't have custom access rules on any interface. we were also able to test and the vpn connection is using ssl vpn(clientless using web browser) and it worked.
so if it's using ssl vpn on a web browser, let say there are custom access-rules, which ports are we going to open up?
03-31-2013 12:13 AM
so if it's using ssl vpn on a web browser, let say there are custom access-rules, which ports are we going to open up?
All traffic over a SSL vpn will go over port HTTPS (443) even if you are using a java applet to allow RDP,etc all of the traffic will traverse via port HTTPs
Hope that I could answer your query
Regards
03-31-2013 01:06 PM
If you are connecting from inside - outside, not ports need to be open, since that connection will be trusted.
For the RA IPsec users, make sure they use NAT-T, since the FW will not NAT the ESP packets.
WebVPN uses TCP 443, so it will be considered a normal TCP connection.
HTH.
Portu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: