------ --------------- ----------------- --------------
| HQ | ---- | Firewall 1 | --- S2S VPN --- | Firewall 2 | --- | Branch |
------ --------------- ----------------- --------------
HQ IP: 10.10.10.0/24, NAT to 192.168.2.0 @ Firewall 1
Branch IP : 192.168.1.0/24, NAT to 10.10.20.0/24 @ Firewall 1
interface Ethernet0/3
nameif EXTRANET
security-level 10
ip address 10.10.10.1 255.255.255.0
object service TCP-High-Ports
service tcp destination range 32768 65535
object-group network DM_INLINE_NETWORK_1
network-object 192.168.1.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object network 192.168.1.110
nat (outside,EXTRANET) static 10.10.20.110
object network 10.10.10.21
nat (EXTRANET,outside) static 192.168.2.21
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list VPN-ACL extended permit tcp 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 eq 3389
access-list VPN-ACL extended deny tcp 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0 eq www
access-list VPN-ACL extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq www
access-list VPN-ACL extended deny tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 8080
access-list VPN-ACL extended permit object TCP-High-Ports 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN-ACL extended permit icmp any any
access-list VPN-ACL extended deny ip any any
access-list EXTRANET_access_in extended permit ip any any
access-group EXTRANET_access_in in interface EXTRANET
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 123.123.123.244
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
group-policy TEST-S2S-VPN internal
group-policy TEST-S2S-VPN attributes
vpn-filter value VPN-ACL
vpn-tunnel-protocol ikev1
tunnel-group 123.123.123.244 type ipsec-l2l
tunnel-group 123.123.123.244 general-attributes
default-group-policy TEST-S2S-VPN
tunnel-group 123.123.123.244 ipsec-attributes
ikev1 pre-shared-key *****
S2S VPN is established between Firewall 1 and Firewall 2.
Access rule is configured at Firewall 1 to control access to/from HQ.
There is no access control at Firewall 2, all accesses are allowed.
Finding:
In order for HQ hosts to initiate traffic to Branch hosts, I must create firewall rules (VPN-ACL) which allow all Ephemeral Ports from Branch IP range.
For example: access-list VPN-ACL extended permit object TCP-High-Ports 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Is this Finding valid?