Solved: Re: ASA5505 Site-to-site VPN and limiting access - URGENT

lwingerd · ‎03-28-2011

I'm going to confess limited knowledge up front, so forgive me if I sound like an idiot. The company I work for has recently started hosting our application for some of our clients; to do this, we are leasing rack space, connections, and hardware in a data center. We need to send data from our application to an application in our client's data center. They have an ASA 5505.

Our data center will support site-to-site VPN and nothing else. Our client finds this unacceptable, citing security and the inability to restrict access to only the small number of servers our application needs to access. I need to be able to discuss this intelligently and with facts (and, preferably, configuration examples on hand) with their CIO and network staff in the next day or so.

Can the ASA 5505 be configured for a site-to-site VPM with our data center that restricts our application server to accessing a limited set of IP addresses within their network? If so, can this be accomplished reasonably easily? Anyone done this?

Thanks,

Leighton Wingerd

andrew.prince · ‎03-30-2011

Leighton,

The issue sounds complicated - but is actuall simple. Remember a VPN secures the transmission from site A to site B over an insecure medium - the internet. As such you can DEFINE the traffic that will travers the VPN, you also DEFINE the traffic that will initiate the VPN tunnel in the first place. With those statements said - using your supposed information you would create the interesting traffic as the exact traffic you want to allow over the vpn:-

access-list datacentre_2_client permit tcp host 1.2.3.4 host 192.168.1.2 eq 1521

And you would use the same ACL to define what can traverse the traffic. However I know for a fact that an Oracle ODBC connection uses more that one TCP port!!!!

Data Privacy is something else - that your client needs to define requirements. An SSL connection is fine and dandy - you will just be encrypting the traffic twice!!!.

View solution in original post

andrew.prince · ‎03-29-2011

To answer your questions:-

Can the ASA 5505 be configured for a site-to-site VPN with our data center that restricts our application server to accessing a limited set of IP addresses within their network? - YES

If so, can this be accomplished reasonably easily? - YES

Anyone done this? - YES

Supply some more information.

HTH>

lwingerd · ‎03-30-2011

Hi Andrew,

Thanks for the reply. I don't have access to the specific configuration of the two applicances (one is under the control of the data center from whom we are leasing equipment and support, and the other is under the control of our client), so it's hard for me to supply much more information but I will try.

Our server is running in a data center, and the client currently access the application via Terminal Services Remote App. Our application needs to share data with an application running at our client's site via an ODBC connection to an Oracle database - in other words, from the server in our data center we need to be able to access one IP and a limited number of ports in the client's network. I'm operating on several assumptions, one of which is that the people who actually have access to the configuration know how to setup a basic site-to-site VPN between them (I'm certain they have a better idea about it than I do at this point). I'm also assuming that most of the configuration for limiting access from our data center will be done on our client's ASA5505 and not at the data center side. Suppose that the data center address is 1.2.3.4, and the internal address of the db server we need to access is 192.168.1.2, and that we would need to open port 1521. What would I need to tell the tech to add to the configuration to allow access to this one server, on this one port, from this one address, and allow no access to anything else from this address?

Just as important, does this open up any areas of concern for data privacy? We do intend to use SSL/TLS for the database connection.

Thanks,

Leighton Wingerd

andrew.prince · ‎03-30-2011

Leighton,

The issue sounds complicated - but is actuall simple. Remember a VPN secures the transmission from site A to site B over an insecure medium - the internet. As such you can DEFINE the traffic that will travers the VPN, you also DEFINE the traffic that will initiate the VPN tunnel in the first place. With those statements said - using your supposed information you would create the interesting traffic as the exact traffic you want to allow over the vpn:-

access-list datacentre_2_client permit tcp host 1.2.3.4 host 192.168.1.2 eq 1521

And you would use the same ACL to define what can traverse the traffic. However I know for a fact that an Oracle ODBC connection uses more that one TCP port!!!!

Data Privacy is something else - that your client needs to define requirements. An SSL connection is fine and dandy - you will just be encrypting the traffic twice!!!.

lwingerd · ‎03-30-2011

Andrew,

Thanks for your quick and complete answer, as much for the knowledge as well as the reassurance that what we are trying to do is not unreasonable. I know I'll need to have them open more than 1521, it was just the only one I could recall off the top of my head.

The data privacy is a FERPA issue (our client is a university), so we're pretty clear on what is being protected.

Thanks again,

Leighton Wingerd