cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2177
Views
0
Helpful
9
Replies

Restrict Site-To-Site Access.

Soeren Rosiak
Level 1
Level 1

Hi there.

Got a very simple Site to Site VPN setup.

LAN1, 172.16.0.0/24 |----ASA-----------------| INTERNET |-----------------ASA----|192.168.0.0/24, LAN2

Is it some what possible to restrict access from LAN1 -> LAN2 over VPN.

How is this done? And on which unit is the ACL placed? Both ends?

Say i have HostA on LAN1 that want to access HostB on LAN2 on port 80.

And say i have HostB on LAN2 that want to access HostA on LAN1 on port 443

As per default as far as I know all access is allowed.

Thanks!

9 Replies 9

Jan Rolny
Level 3
Level 3

Hi,

yes it is possible to limit access but it depends on how your asa is configured. I think by default option "sysopt connection permit-vpn" is enabled so any traffic passed tunnel an decryptet on remote site is allowed and bypass ACL control.

If you disable this option so it start control traffic by ACL defined in your ASA boxes.

Also "interesting " traffic which should be encrypted and pass tunnel is specified in crypto map.

Please se this link which describes sysopt option:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html

Best regards,

Jan

Hi Jan.

ATM the crypto map i just basic:

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

Would the best soloution be to only allow the specific traffic in the cryptomap acl, if this is possible at all?

Or to have a separate VPN-FILTER acl?

Regards,

Søren

Hi Søren,

because there is mostly problem with configuring L2L tunnels and cryptomap and other thing must match to establish IPSec tunnel so I would leave your cryptomap simple.

You can use VPN-FILTER but I would disable sysopt connection permit-vpn and then create ACL for specific traffic.

HTH,

Jan

Hi Jan.

Great that was my initial thought.

But i'm not sure how to implement this ACL.

I've read some places that the acl needs to be placed on the "outside" interface?

And i've read other places that it need's to be placed under the tunnelgroup?

Here is my config if that may help:

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 2.2.2.3 255.255.255.0

!

object-group network all_networks

network-object 172.16.0.0 255.255.255.0

network-object 192.168.0.0 255.255.255.0

object-group network inside_networks

network-object 172.16.0.0 255.255.255.0

object-group network remote_networks

network-object 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip object-group inside_networks object-group all_networks

access-list outside_1_cryptomap extended permit ip object-group inside_networks object-group remote_networks

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.2 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 1.1.1.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xxxxx

Of course edited from the real config.

Hi Søren,

you already have ACL applied on outside interface is this command:

access-group outside_access_in in interface outside

And ACL is:

access-list outside_access_in extended permit icmp any any. In this case you have permited just ping.

So when you add next rules in ACL outside_access_in which will match traffic in your L2L tunnel so it should work.

Regards,

Jan

Hi Jan.

I'm aware of that, it's just that Cisco's site states the following:

"An ACL that is used for a vpn-filter must not also be used for an interface access-group."

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,

Søren    

Yes you are right but i am talking about normal ACL without usign vpn-filter and sysopt disabled.

So if you want to use vpn-filter do it like document describes.

Regards,

Jan

Hi Jan.

Ah okay.

So it would actually be possible to use my outside_access_in to define VPN traffic with the sysopt disabled?

Regards,

Søren

Hi Søren,

yes it is possible to use your existing ACL. Please notice that traffic from LAN1 to LAN2 have to be denied on ASA2 and also if you want limit traffic from LAN2 to LAN1 you have to modify ACL on ASA1 because it is incoming traffic from outside to inside.

Ragrds,

Jan

Please rate my posts if you consider they are helpful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: