cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1345
Views
0
Helpful
23
Replies

block access on a site to site vpn

ronshuster
Level 1
Level 1

I have a site to site VPN (between two ASA's)which works just fine, however we want to have control on:

1) the ability for bring up the VPN tunnel if only one site initiates traffic. If that site does not initiate traffic the tunnel should not come up

2) the ability for one site to access resources from the other site but not vice versa.

Any ideas?

23 Replies 23

tstanik
Level 5
Level 5

To make the vpn to come up only when one site is initiating traffic you will need to configure crypto ACL accordingly. The ability to make only one site to access resources from the other can also be configured by applying proper filters. Following links may help you

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080656460.html

I'm trying to accomplish the same thing as ronshuster, but have not had any success. I didn't see much about VPN filters from the links above. There was some information on VPN filters here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

But I'm still not able to create the desired effect. The bi-directional explanation on that page is confusing. What I would like to be able to do is something like this:

access-list 100 extended permit ip

access-list 100 extended deny ip

And then apply that acl as a VPN filter to my site-to-site VPN connection. The link about talks about the remote subnet always being specified first with doing VPN filter acls, so I'm not sure that the above example is valid. When I try to do the above, traffic seems to be blocked in both directions.

To reiterate the desired setup:

Site-to-site VPN connection between my office and a client site. The connection should allow traffic to flow freely from everyone on my office subnet to the client subnet. But traffic should be blocked in the reverse direction (client subnet -> my subnet should not be allowed). Is this possible with VPN filter ACls? If so, can someone provide an example?

HI Matthew,

This is what you need to add on the side that will initiate traffic:

ciscoasa(config)# crypto map outside_map 2 set connection-type originate-only

The set connection-type originate-only is to be applied on the side who

wants to originate the traffic no further commands need to be added on the

houston.

I am yet to find the answer to the other point, pls let me know if you figure it out.

You have two options on restricting the traffic.

1. remove sysopt connection permit-ipsec or sysopt connection permit-vpn depending upon version. Then write the access in your regular interface acl's.

2. Apply a vpn-filter to the group policy of the tunnel-group. This doc explains how to do it for a remote access vpn but it is the same for lan to lan.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

I would rather not do option 1, as it would complicate rule setups for other VPN connections in my configuration (and increase the likelihood that I mess something up and expose a security hole).

I can follow the examples for dial-up/remote access VPN connections, but nothing translates into a working configuration for my site-to-site VPN. First, there are no examples given of any deny rules; all the examples in that doc are:

access-list xyz permit ip any

When dial-up users are connected to my vpn, I can ping their pool IP from my internal subnet. So the analogy of what I'm trying to accomplish with site-to-site would be: allow dial-up users full access to the internal subnet, but prevent the internal subnet from being able to access the dial-up user. I've yet to see an example demonstrating this.

When I try:

access-list xyz permit ip

access-list xyz deny ip

and apply those rules as a vpn-filter to the group policy of the tunnel group for my site-to-site VPN, it ends up blocking traffic in both directions. Without those policies, I've tested the VPN connection and it works fine in both directions (client -> me, me -> client). But as soon as I try to block the client -> me traffic, it also kills traffic going the other direction. I'd love to see an actual working example of this.

Yes, option 1 is uglier. I believe the vpn-filter acl is applied into the outside interface. So in your case it would not help. I thought you were trying to limit the access from the vpn client, but you actually want to limit the access to the vpn client. It also doesn't help to put the 2 acl's you tried because the internal subnet would never be the source since it is applied into the outside interface.

The easiest way to do that would be to create an acl applied into your inside interface.

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

sticano
Level 1
Level 1

You can create a dynamic map on the side that you do not want to initiate traffic from. The other side will then be able to kick off the tunnel, while the dynamic side cannot. Coupled with the filter, you should be all set.

Unfortunately, there isn't a cisco router/firewall on my client side, so my options are limited there.

I think there was some confusion in the previous post also. I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

The idea for the inside policy rule seemed intriguing, but it didn't seem to work. As soon as I put it in place, traffic in both directions was blocked again. I tried the rule the other way too (because it seemed backward to me), but that caused traffic to be blocked in both directions also:

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

Ok, I think I found a potential solution, but I'm not 100% pleased with it...

I went back to the original/normal site-to-site VPN where both sides could freely access each other (client->me and me->client traffic both work). This is pretty much the standard site-to-site VPN shown in examples. The suggestion of adding this rule on my end:

access-list inside extended deny ip any

blocks things in the wrong direction (kills my access to the client). Instead, I created a similar rule *on my client's* firewall. Now there's isn't a cisco, but the rule is equivalent to:

access-list inside extended deny ip any

Now, from my internal subnet, I can still freely access the client subnet (me->client traffic). But the rule on their side prevents them from accessing me (client->me is blocked by their firewall).

The downside to this approach is that I have to trust them to keep that rule in place. If they decide they want to access my network over the VPN, they can simply disable that rule without my knowledge.

So ideally, I would still love it if there was a way to enforce the one-way VPN traffic restriction on my end. I think we've been getting close to a good solution with this thread... we just haven't hit it yet. Keep the suggestions coming!

Anyone found a proper solution for this issue ?

It seems that when i apply vpn filters to allow to everything from the client side applies correctly. But i cannot access client side from my lan at all.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

anyone ?

I am yet to find an answer to my original question, that is: my site to site VPN is working, however all devices on one side can access all devices on the other and vice versa.

I have an object-group defined with all the private networks on each end, ie

access-list TUNNEL1 extended permit ip object-group INSIDE_NETWORK object-group OUTSIDE_NETWORK

crypto map outside_map 2 match address TUNNEL1

Now that it is fully open (and working), I need to restrict specific segments (in the object-groups) from accessing specific segments on the other side of the tunnel.

How is this done?

join the club ...