Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
3
Replies

ASA - VPN Filtering / Sysopt connection / Interface ACLs

Private Private
Level 1
Level 1

‎12-01-2016 09:50 AM

     Sorry to rehash a topic that I am sure has been beaten to death multiple times but I still cant seem to find an exact answer to clarify my understanding on limiting/filtering VPN traffic. So, for ASAs running version 9.+:

     For a given site(A), for a Site(A) to Site(B) VPN configuration, with 'sysopt connection permit vpn' enabled (default), for a host(a) on site(A) behind the internal interface at Site(A) to access a host(b) on site(B) behind the internal interface at site(B), besides an ACL (vpnacl) defining interesting traffic from host(a) to host(b) which is applied within the Crypto Map command (.. match address vpnacl) :
    
    1) Are any other rules required to permit host(a) to access host(b), including connection initiation from host(a) to host(b)? More specifically, is an interface ACL rule applied to the inside interface at site(A) required (for either return traffic from host(a) to host(b) or initiated traffic from host(a) to host(b)?
    
    2) Can/will any interface ACL rules applied to the inside interface at site(A) govern and/or restrict traffic from host(a) to host(b), whether that is return traffic from host(a) to host(b) or traffic initiated from host(a) to host(b)? I.e, Can the interface ACL applied to the inside interface at site(A) be used to restricted traffic from host(a) to host(b) or traffic initiated from host(a) to host(b)? If the interface ACL applied to the inside interface at site(A) has rules but none regarding traffic from host(a) to host(b) and perhaps even an explicit deny ip any/any at the end of the ACL, would host(a) be able to access host(b) (either returning traffic or initiating traffc)?
    
    I had pretty much believed that in order to filter VPN traffic, one could either:
    a) Restrict traffic via the 'Interesting Traffic' Crypto Map ACL
    b) Utilize VPN filter ACLs
    c) Disable the 'sysopt connection permit vpn' configuration by using the 'no' version of the command and then implement rules on the outside interface, inbound direction (IN) (where the VPN tunnel terminates).
    
    I was also under the impression that if the 'sysopt connection permit vpn' is in place, then interface ACLs do not come into play and they have no effect on traffic defined as interesting VPN traffic in the Crypto Map ACL, whether that is return VPN traffic or traffic that initiates the connection between two hosts across a VPN tunnel.
    
    I dont believe I have ever seen a VPN configuration example in the Cisco documentation of where the Site-to_Site setup included interface ACL rules for an inside interface permitting (and possibly restricting) traffic from one side to the other (host(a) to host(b) in the example above). That is, these examples never mention that an interface ACL rule is required to permit host(a) to access (or initiate a connection to) host(b) across a VPN tunnel. here is just one example: http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html
    
    However, I have come across some conversations where it appears as though an interface ACL applied to an inside interface (IN) could/would restrict VPN traffic because interface ACLs are processed/analyzed before Crypto Map ACLs.
    
    Sorry for the long and rehash topic question, but I'd like to get clear on this once and for all.  Thanks.

Labels:
0 Helpful
3 Replies 3

Oliver Kaiser
Level 7
Level 7

‎12-01-2016 01:04 PM

1)

sysopt connection permit vpn will only ignore access-lists applied on the interface where you terminate the vpn (outside). Traffic entering the vpn tunnel from your side (inside) has to be permitted using ACL, sysopt connection permit vpn will not ignore your outbound ACL on your inside interface.

2) 

The ACL entry will only match outbound traffic. Since ASA uses stateful inspection return traffic will be allowed implicitly.

To filter traffic going from/to the vpn tunnel you have 3 options

  1. cryptomap ACL: define source and destination IPs for tunnel (interesting traffic)
  2. vpn-filter: stateless filter (return-traffic must be permitted explicitly), not recommended
  3. access-list on outbound interface (e.g. inside) to filter outgoing traffic into the vpn tunnel. access-list on inbound interface (e.g. outside) to filter inbound traffic from the vpn tunnel

Restrict vpn traffic using ACLs and try not to use sysopt connection permit vpn, since it is not flexible and might lead to issues if you have to restrict access on tcp/udp port level later on.

Let me know if that answers your question

0 Helpful

Private Private
Level 1
Level 1
In response to Oliver Kaiser

‎12-02-2016 07:43 AM

     Thank you for your reply. While it makes sense, I am still curious why, for all of the VPN site to site documentation and examples that one finds, one never sees (or at least I have not seen) a step in the setup that includes being sure to create the necessary interface ACL rules within the ACL which is applied to the inside interface of the firewall in the IN direction in order to allow the VPN traffic in the first place. So for example, I have never seen it mentioned for VPN site to site setups, that after the configuration for the tunnel itself is done, one must also create the following:

Presume that for site(A) from my example above, that the typical Site-to-Site configuration items (including the Crypto Map ACL for interesting traffic) are already setup and there is an ACL with a series of rules such that:

- access-list site(A)_inside_in extended permit [Prot] [src] [dst] [svc]
- access-list site(A)_inside_in extended permit [Prot] [src] [dst] [svc]
- access-list site(A)_inside_in extended permit [Prot] [src] [dst] [svc]
- ..etc.
- access-group site(A)_inside_in in interface inside

where none of those rules contain a permit rule from host(a) to host(b) (or any rules with a source/destination of 'any') in my example.

     What I am understanding is that after the VPN configuration, one must also set up a rule in the site(A)_inside_in ACL that also permits host(a) to access host(b) across the VPN tunnel via whatever service one wants to allow.  If this is the case, then why is it not also an option to limit/filter VPN traffic from host(a) to host(b) using the site(A)_inside_in ACL (I didnt see this listed as one of the options in your #2 above and have never seen it listed as an option when filtering VPN traffic is discussed). I am thinking that perhaps the idea is that utilizing the site(A)_inside_in ACL would only limit the ability of host(a) to initiate connections to host(b) but it would not limit host(b) from initiating connections to host(a) (because the sysopt connection permit vpn command is enabled).  However, if one is able to control (or get into place) rules on the site(B)_inside_in ACL (applied IN to inside interface at Site(B) that limits access from host(b) to host(a), then wouldn't utilizing interface ACLs in the IN direction (which are the types of ACLs commonly used to control outbound traffic from an internal network) also be a possible means of filtering VPN traffic?

    Although it may seem obvious/implied by the normal functioning of the ASA, I would have expected VPN setup documentation to include a statement similar to the following:

     "After the Crypto Map and other VPN configuration items are complete,  if you have an existing ACL applied to the IN direction on the internal interface (or other interface from which vpn traffic will be initiated), if you wish your hosts to initiate a connection to a remote host across the VPN tunnel, you will also need to create rules within that ACL which permit traffic from your local host to the remote host via whichever services you wish to allow if such rules do not already exist."

Thanks.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Private Private

‎12-03-2016 02:32 AM

Considering why it only affects the interface that terminates the vpn tunnel:
From my understanding this is because ASA handles ACLs before interesting traffic definitions for vpn tunnels. Because inbound traffic can be classified as vpn traffic before ACL is being enforced it can flag traffic as vpn related and ignore ACLs. Outbound traffic is not classified as vpn traffic before hitting its ACL therefore permit-vpn cannot work.

For reference you might wanna check the documentation here

acl placement

In case you are controlling both sites you may also use only outbound ACLs and permit vpn traffic on the interface where you terminate VPNs. IMO that is not a good option since there must be an implicit trust relationship. You trust the other site to have the correct ACL in place.

documentation

I think this is because many examples use security levels and no interface ACLs. Since inside with security-level 100 will always be able to communicate with outside with security-level 0 no ACL is shown in the configuration.

0 Helpful
Customers Also Viewed These Support Documents