Solved: Block unsolicited inbound traffic through L2L VPN on ASA5505

cbalmer · ‎04-07-2013

I have a working L2L between two locations. Location A and Location B.

Location A: 172.16.16.0/24

Location B: 192.168.0.0/24

I would like to block anything inbound to Location A from Location B that isn't initiated from Location A. The block should be done on the ASA5505 at Location A. Location B uses an ISR G2 router.

i.e. Location A can start an SSH session to a server in Location B

Location B cannot start an SSH session to a server in Location A

I tried using a VPN filter on the ASA5505 but it isn't stateful, I cannot pass any traffic when using it.

Config on my ASA:

access-list vpn-traffic extended permit ip 172.16.16.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list block-vpn-to-local extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0

access-list block-vpn-to-local extended permit ip any any

crypto map vpn 100 match address vpn-traffic

crypto map vpn 100 set peer locationB-public-IP

crypto map vpn 100 set transform-set esp-aes256-sha

crypto map vpn interface outside

group-policy block-vpn-to-local-policy internal

group-policy block-vpn-to-local-policy attributes

vpn-filter value block-vpn-to-local

vpn-tunnel-protocol IPSec

tunnel-group locationB-public-IP type ipsec-l2l

tunnel-group locationB-public-IP general-attributes

default-group-policy block-vpn-to-local-policy

tunnel-group locationB-public-IP ipsec-attributes

pre-shared-key *****

I also have an AnyConnect VPN setup for the ASA5505 and it is running 8.2(5). Any tips?

Jouni Forss · ‎04-07-2013

Hi,

Unless you already have a high amount of VPN connections in use theres also another option other than the VPN Filter ACL.

You can globally change the setting "sysopt connection permit-vpn" (default setting is that this is enabled)

If you change this setting to "no sysopt connection permit-vpn" every connection coming from remote site will require an ACL rule on the interface ACL which terminates the VPN. And that is usually the "outside" interface.

I find its an easy and a lot clearer way of building ACL rules for the VPN connections also although the "outside" ACL would now include both VPN and Internet traffic related rules. Still it beats the use of VPN Filter ACL if you ask me.

The downside trying to enable this later on is the fact that if you didnt have any restrections between VPN and LAN connections, you would now have to determine what needs to be opened before you change the global settings so that connections dont stop working.

Here is the section of the ASA 8.2 Command Reference for the command/setting I am talking about

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364

If you want to go with VPN Filter ACLs then follow the earlier posts instructions while building ACL rules.

- Jouni

View solution in original post

Hubert Wisniewski · ‎04-07-2013

Hi,

the acl for VPN filter works a bit different than normal access-list. If you want to accept ssh from location A->B

access-list vpn-traffic extended permit tcp 192.168.0.0 255.255.255.0 eq ssh 172.16.16.0 255.255.255.0

and deny from B->A:

access-list vpn-traffic extended deny tcp 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0 eq ssh

You should always put destination LAN IP/subnet first and then source LAN IP/subnet, you change only port position

regards

Hubert

cbalmer · ‎04-08-2013

Thanks for the info Hubert. I was looking more at blocking all IP traffic incoming from location B though and only used SSH as an example to show that I wanted outbound connections to work (stateful).

I did learn a lot about the filtering options from your post though and I thank you for that.

Jouni Forss · ‎04-07-2013

Hi,