Solved: Cisco VPN - Restrict VPN traffic to and from remote subnet at IP

chrislord · ‎06-27-2013

I have a Cisco 860 which has an IPSec tunnel to a DLINK router at a remote location.

Subnet A (Cisco) is 192.168.99.0/24

Subnet B (DLINK) is 192.168.1.0/24

The tunnel is stable and functions fine.

What I am trying to acheive is to restrict IP traffic from from both subnets. I have tried the access-list 104 and also access-list 105 (though obviously I didn't think 105 would affect anything as this simply defines what is classed as VPN traffic).

Below is my Cisco config but what is best practice / method to restric VPN IP traffic? (both ways).

Thank you in advance

---------------------------

Building configuration...

Current configuration : 13326 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco860

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

no aaa new-model

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-121479842

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-121479842

revocation-check none

rsakeypair TP-self-signed-121479842

!

**Certificate data removed**

quit

ip source-route

ip port-map user-protocol--1 port tcp 3389

ip port-map user-protocol-M24C6 port tcp 8006

ip port-map user-protocol-M24C5 port tcp 8005

ip port-map user-protocol-M24C4 port tcp 8004

ip port-map user-protocol-M24C3 port tcp 8003

ip port-map user-protocol-M24C2 port tcp 8002

ip port-map user-protocol-M24C1 port tcp 8001

ip port-map user-protocol--EDI port tcp 9080

!

ip cef

ip inspect name CCP_LOW cuseeme

ip inspect name CCP_LOW dns

ip inspect name CCP_LOW ftp

ip inspect name CCP_LOW h323

ip inspect name CCP_LOW sip

ip inspect name CCP_LOW https

ip inspect name CCP_LOW icmp

ip inspect name CCP_LOW imap

ip inspect name CCP_LOW pop3

ip inspect name CCP_LOW rcmd

ip inspect name CCP_LOW realaudio

ip inspect name CCP_LOW rtsp

ip inspect name CCP_LOW sqlnet

ip inspect name CCP_LOW streamworks

ip inspect name CCP_LOW tftp

ip inspect name CCP_LOW tcp

ip inspect name CCP_LOW udp

ip inspect name CCP_LOW vdolive

no ip domain lookup

ip domain name addomain.local

!

username administrator privilege 15 secret 5 secret

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234567890 address 213.1.1.223

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to213.1.1.223

set peer 213.1.1.223

set transform-set ESP-3DES-SHA

match address 105

!

archive

log config

hidekeys

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 66.55.33.75 255.255.255.248 secondary

ip address 66.55.33.76 255.255.255.248 secondary

ip address 66.55.33.74 255.255.255.248

ip access-group 104 in

ip verify unicast reverse-path

ip inspect CCP_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.99.249 255.255.255.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 66.55.33.73

ip route 192.168.0.0 255.255.255.0 192.168.99.248

ip route 192.168.2.0 255.255.255.0 192.168.99.248

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.99.250 25 interface FastEthernet4 25

ip nat inside source static tcp 192.168.99.252 9080 interface FastEthernet4 9080

ip nat inside source static tcp 192.168.99.250 3389 interface FastEthernet4 3390

ip nat inside source static tcp 192.168.99.250 443 interface FastEthernet4 443

ip nat inside source static tcp 192.168.99.192 3389 interface FastEthernet4 3391

ip nat inside source static tcp 192.168.99.231 8001 interface FastEthernet4 8001

ip nat inside source static tcp 192.168.99.232 8002 interface FastEthernet4 8002

ip nat inside source static tcp 192.168.99.233 8003 interface FastEthernet4 8003

ip nat inside source static tcp 192.168.99.234 8004 interface FastEthernet4 8004

ip nat inside source static tcp 192.168.99.230 8100 interface FastEthernet4 8100

ip nat inside source static tcp 192.168.99.235 8005 interface FastEthernet4 8005

ip nat inside source static tcp 192.168.99.236 8006 interface FastEthernet4 8006

ip nat inside source static tcp 192.168.99.13 3389 interface FastEthernet4 3389

ip nat inside source static tcp 192.168.99.252 1723 interface FastEthernet4 1723

ip nat inside source static tcp 192.168.99.75 3389 interface FastEthernet4 3392

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.0.103 25 66.55.33.75 25 extendable

ip nat inside source static tcp 192.168.0.103 443 66.55.33.75 443 extendable

ip nat inside source static tcp 192.168.0.105 3389 66.55.33.75 3389 extendable

ip nat inside source static tcp 192.168.0.100 3389 66.55.33.75 3390 extendable

ip nat inside source static tcp 192.168.0.106 3389 66.55.33.75 3391 extendable

ip nat inside source static tcp 192.168.2.2 3389 66.55.33.76 3389 extendable

!

ip access-list extended Cameras

remark CCP_ACL Category=128

permit ip any host 192.168.99.231

permit ip any host 192.168.99.232

permit ip any host 192.168.99.233

permit ip any host 192.168.99.234

permit ip any host 192.168.99.235

permit ip any host 192.168.99.236

ip access-list extended EDITraffic

remark CCP_ACL Category=128

permit ip any host 192.168.99.252

ip access-list extended HTTPSTraffic

remark CCP_ACL Category=128

permit ip any host 192.168.99.250

permit ip any host 192.168.0.103

ip access-list extended MailProtector

remark CCP_ACL Category=128

permit ip 195.90.96.0 0.0.1.255 host 192.168.99.250

permit ip 195.90.96.0 0.0.1.255 host 192.168.0.103

permit ip host 217.45.118.145 host 192.168.99.250

permit ip host 217.45.118.145 host 192.168.0.103

ip access-list extended PPTPTraffic

remark CCP_ACL Category=128

permit ip any host 192.168.99.252

ip access-list extended SMTP

remark CCP_ACL Category=128

permit ip host 217.123.118.123 host 192.168.99.2

!

access-list 23 remark CCP_ACL Category=16

access-list 23 permit 217.123.118.123

access-list 23 permit 192.168.99.0 0.0.0.255

access-list 23 permit any

access-list 100 remark CCP_ACL Category=16

access-list 100 remark IPSec Rule

access-list 100 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 remark Elland

access-list 100 permit ip 192.168.99.0 0.0.0.255 any

access-list 100 remark Dudley

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 remark Harrogate

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.99.13

access-list 102 permit ip any host 192.168.99.250

access-list 102 permit ip any host 192.168.99.192

access-list 102 permit ip any host 192.168.2.2

access-list 102 permit ip any host 192.168.0.105

access-list 102 permit ip any host 192.168.0.100

access-list 102 permit ip any host 192.168.0.106

access-list 102 permit ip any host 192.168.99.75

access-list 103 remark auto generated by CCP firewall configuration

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq telnet

access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq 22

access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq www

access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq 443

access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq cmd

access-list 103 deny tcp any host 192.168.99.249 eq telnet

access-list 103 deny tcp any host 192.168.99.249 eq 22

access-list 103 deny tcp any host 192.168.99.249 eq www

access-list 103 deny tcp any host 192.168.99.249 eq 443

access-list 103 deny tcp any host 192.168.99.249 eq cmd

access-list 103 deny udp any host 192.168.99.249 eq snmp

access-list 103 deny ip 66.55.33.72 0.0.0.7 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by CCP firewall configuration

access-list 104 remark CCP_ACL Category=1

access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq telnet

access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq 22

access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq www

access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq cmd

access-list 104 deny tcp any host 66.55.33.74 eq telnet

access-list 104 deny tcp any host 66.55.33.74 eq www

access-list 104 deny tcp any host 66.55.33.74 eq 443

access-list 104 deny tcp any host 66.55.33.74 eq cmd

access-list 104 deny udp any host 66.55.33.74 eq snmp

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 104 permit udp host 213.123.207.223 host 66.55.33.74 eq non500-isakmp

access-list 104 permit udp host 213.123.207.223 host 66.55.33.74 eq isakmp

access-list 104 permit esp host 213.123.207.223 host 66.55.33.74

access-list 104 permit ahp host 213.123.207.223 host 66.55.33.74

access-list 104 permit tcp any host 66.55.33.76 eq 3389

access-list 104 permit tcp any host 66.55.33.75 eq 3391

access-list 104 permit tcp any host 66.55.33.75 eq 3390

access-list 104 permit tcp any host 66.55.33.75 eq 3389

access-list 104 permit tcp any host 66.55.33.75 eq 443

access-list 104 remark MailDefender - ZUB

access-list 104 permit tcp 195.90.96.0 0.0.1.255 host 66.55.33.75 eq smtp

access-list 104 permit tcp any host 66.55.33.74 eq 3392

access-list 104 permit tcp any host 66.55.33.74 eq 1723

access-list 104 permit tcp any host 66.55.33.74 eq 3389

access-list 104 permit tcp any host 66.55.33.74 eq 8006

access-list 104 permit tcp any host 66.55.33.74 eq 8005

access-list 104 permit tcp any host 66.55.33.74 eq 8100

access-list 104 permit tcp any host 66.55.33.74 eq 8004

access-list 104 permit tcp any host 66.55.33.74 eq 8003

access-list 104 permit tcp any host 66.55.33.74 eq 8002

access-list 104 permit tcp any host 66.55.33.74 eq 8001

access-list 104 permit tcp any host 66.55.33.74 eq 3391

access-list 104 permit tcp any host 66.55.33.74 eq 443

access-list 104 permit tcp any host 66.55.33.74 eq 3390

access-list 104 permit tcp any host 66.55.33.74 eq 9080

access-list 104 permit gre any any

access-list 104 remark MailProtector

access-list 104 permit tcp 195.90.96.0 0.0.1.255 host 66.55.33.74 eq smtp

access-list 104 deny ip 192.168.99.0 0.0.0.255 any

access-list 104 permit icmp any host 66.55.33.74 echo-reply

access-list 104 permit icmp any host 66.55.33.74 time-exceeded

access-list 104 permit icmp any host 66.55.33.74 unreachable

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip host 0.0.0.0 any

access-list 104 deny ip any any log

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 106 remark CCP_ACL Category=1

access-list 106 permit ip host 217.45.118.145 any

access-list 106 permit ip 192.168.99.0 0.0.0.255 any

access-list 106 permit ip any any

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 106 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

rkumar5 · ‎07-01-2013

Hi Chris,

After 12.3(X) version of the IOS router does not check for the traffic that is coming out the VPN tunnel by the means of interface ACL. It did prior that version. Nowdays, we do that by writting separate ACL for each tunnel we want to filter traffic for. Pretty much like the ASAs vpn-filter with some differences.

In IOS it’s pretty easy and logical. We look at the VPN tunnel as ordinary interface. We create one ACL for controlling the traffic going out through the tunnel and one ACL for the traffic coming from the tunnel. So we have “in” and “out” ways on the “interface”. The only difference is that there is no “interface”! We apply these ACLs under appropriate crypto map.

For Example

Lets say

- allow telnet traffic from 192.168.99.0 /24 to 192.168.1.0/24

- allow web traffic from 192.168.1.0 /24 to 192.168.99.0 /24

-drop all the rest

You need to create 2 ACLs one for IN direction Traffic and the other for OUT traffic

ip access-list extended VPNFILTER99-1

permit tcp 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 eq telnet

permit tcp 192.168.99.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255

deny ip any any log

ip access-list extended VPNFILTER1-99

permit tcp 192.168.1.0 0.0.0.255 eq telnet 192.168.99.0 0.0.0.255

permit tcp 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 eq www

deny ip any any log

Now apply these ACLs under appropriate crypto map

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to213.1.1.223

set peer 213.1.1.223

set ip access-group VPNFILTER1-99 in

set ip access-group VPNFILTER99-1 out

set transform-set ESP-3DES-SHA

match address 105

This is how we can filter the traffic on the IOS Routres

HTH

Regards

Raj Kumar

Please rate all helpful posts

View solution in original post

rkumar5 · ‎07-01-2013

Hi Chris,

After 12.3(X) version of the IOS router does not check for the traffic that is coming out the VPN tunnel by the means of interface ACL. It did prior that version. Nowdays, we do that by writting separate ACL for each tunnel we want to filter traffic for. Pretty much like the ASAs vpn-filter with some differences.

In IOS it’s pretty easy and logical. We look at the VPN tunnel as ordinary interface. We create one ACL for controlling the traffic going out through the tunnel and one ACL for the traffic coming from the tunnel. So we have “in” and “out” ways on the “interface”. The only difference is that there is no “interface”! We apply these ACLs under appropriate crypto map.

For Example

Lets say

- allow telnet traffic from 192.168.99.0 /24 to 192.168.1.0/24

- allow web traffic from 192.168.1.0 /24 to 192.168.99.0 /24

-drop all the rest

You need to create 2 ACLs one for IN direction Traffic and the other for OUT traffic

ip access-list extended VPNFILTER99-1

permit tcp 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 eq telnet

permit tcp 192.168.99.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255

deny ip any any log

ip access-list extended VPNFILTER1-99

permit tcp 192.168.1.0 0.0.0.255 eq telnet 192.168.99.0 0.0.0.255

permit tcp 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 eq www

deny ip any any log

Now apply these ACLs under appropriate crypto map

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to213.1.1.223

set peer 213.1.1.223

set ip access-group VPNFILTER1-99 in

set ip access-group VPNFILTER99-1 out

set transform-set ESP-3DES-SHA

match address 105

This is how we can filter the traffic on the IOS Routres

HTH

Regards

Raj Kumar

Please rate all helpful posts

chrislord · ‎07-01-2013

Thank you Raj - worked a treat.

Cisco VPN - Restrict VPN traffic to and from remote subnet at IP level