Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2235
Views
0
Helpful
0
Replies

Firewall rules in site to site VPN

limlayhin
Level 1
Level 1

‎04-07-2014 11:28 PM

------        ---------------                              -----------------     --------------
| HQ | ---- | Firewall 1 | --- S2S VPN --- | Firewall 2 | --- | Branch |

------        ---------------                              -----------------     --------------


HQ IP: 10.10.10.0/24, NAT to 192.168.2.0 @ Firewall 1
Branch IP : 192.168.1.0/24, NAT to 10.10.20.0/24 @ Firewall 1


interface Ethernet0/3
 nameif EXTRANET
 security-level 10
 ip address 10.10.10.1 255.255.255.0 


object service TCP-High-Ports
 service tcp destination range 32768 65535 

object-group network DM_INLINE_NETWORK_1
 network-object 192.168.1.0 255.255.255.0
 network-object 10.10.20.0 255.255.255.0

object network 192.168.1.110
 nat (outside,EXTRANET) static 10.10.20.110
object network 10.10.10.21
 nat (EXTRANET,outside) static 192.168.2.21

 

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 

access-list VPN-ACL extended permit tcp 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 eq 3389 
access-list VPN-ACL extended deny tcp 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 eq www 
access-list VPN-ACL extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq www 
access-list VPN-ACL extended deny tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 8080 
access-list VPN-ACL extended permit object TCP-High-Ports 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list VPN-ACL extended permit icmp any any 
access-list VPN-ACL extended deny ip any any 


access-list EXTRANET_access_in extended permit ip any any 
access-group EXTRANET_access_in in interface EXTRANET


crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 123.123.123.244 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000

group-policy TEST-S2S-VPN internal
group-policy TEST-S2S-VPN attributes
 vpn-filter value VPN-ACL
 vpn-tunnel-protocol ikev1 


tunnel-group 123.123.123.244 type ipsec-l2l
tunnel-group 123.123.123.244 general-attributes
 default-group-policy TEST-S2S-VPN
tunnel-group 123.123.123.244 ipsec-attributes
 ikev1 pre-shared-key *****

 

S2S VPN is established between Firewall 1 and Firewall 2. 

Access rule is configured at Firewall 1 to control access to/from HQ. 
There is no access control at Firewall 2, all accesses are allowed. 


Finding: 
In order for HQ hosts to initiate traffic to Branch hosts, I must create firewall rules (VPN-ACL) which allow all Ephemeral Ports from Branch IP range. 
For example: access-list VPN-ACL extended permit object TCP-High-Ports 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 


Is this Finding valid? 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents