cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
743
Views
0
Helpful
5
Replies
Highlighted
Enthusiast

L2L VPN security level Higher to Lower?

We have an ASA5520 firewall, IOS 8.0(4), running in routed mode with an operational Cisco 2821 router to ASA-5520 L2L IPsec VPN.

:

All Internet searches explain how to enable a L2L IPsec VPN from the LOWER security-level interface to a HIGHER security-level interface- and this is how our setup is configured and it is operational and working fine.

:

We now have a need to setup another L2L IPsec VPN tunnel on the same firewall BUT this time traffic will be arriving on the HIGHER security-level interface destination is to a LOWER security-level interface.

:

Is it possible to enable a L2L IPsec VPN tunnel between a HIGHER security-level interface to a LOWER security-level interface?

Could you assist with any special configs?

I can paste my current operational config if needed.

Thanks

Frank

5 REPLIES 5
Highlighted
Frequent Contributor

Hi fsebera,

can you explain your question in simple terms ? are you saying that you need to set up a tunnel between two sites lets say A and B , where all traffic including general internet from site B , will come into the tunnel and then head out to the internet ?

Manish

Highlighted

No Internet at ANY point.

No Inside or Outside nameif interfaces.

:

nameif DMZ-1 with a security-level 50

nameif DMZ-2 with a security-level 60

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network

This is operational and working well.

:

Now we need to enable a new L2L IPsec VPN to arrive on DMZ-1 (security-level 50) to reach devices in DMZ-3 (security-level 20).

Also, the remote Cisco 2821 router will ALWAYS initiate the VPN connection, as this remote Cisco router is mobile.

Hope this is clear.

Tks

Frank

Highlighted

I have never tested something like this , but I think you will not  need any special configuration for that. VPN  terminating on the DMZ 1  means the traffic will get unencrypted on that interface and then will  head to your DMZ 3 , where it will be scanned against the access list  just like normal traffic.

VPN in your case is just to encrypt  packets between site A to site B , after it reaches Site B , it is upto  that firewall B to route it to its destination according to route table  and access lists since the vpn is not terminating on that interface.

Manish

Highlighted

FYI,
:
Long story short -It does not matter and has no affect.
:
:
I cleared the config from the ASA 5520,
Reloaded, added in required static routes,

ASDM parameters for management,

Configured interfaces as:

:

nameif DMZ-1 with a security-level 50

nameif DMZ-2 with a security-level 60

nameif DMZ-3 with a security-level 30

:

I loaded ASDM, configured L2L VPN via the IPsec VPN Wizzard - same parameters as before, saved config.

:

From the remote site I made a successful conection to the lower security-level devices - no problem.

Security-level seems not to play a role in this setup as Most Cisco documentation implies (or perhaps something is wrong :})

:

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-3]---network

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network

This is operational and working well.

Regards

Frank

Highlighted

By default, the ASA allows decrypted traffic into the ASA. If you wanted to control traffic passing from higher to lower interface, you would need to disable "sysopt connection permit-vpn" and setup an access-list/access-group to deny the traffic. We generally dont recommend disabling this though because it will affect all VPN tunnels (so youll need to configure the necessary permits/denies for all of your VPNs rather than just this one)

Heres more information about that command from the command reference:

"By default, the security appliance allows VPN traffic to terminate on a  security appliance interface; you do not need to allow IKE or ESP (or  other types of VPN packets) in an interface access list. By default, you  also do not need an interface access list for local IP addresses of  decrypted VPN packets. Because the VPN tunnel was terminated  successfully using VPN security mechanisms, this feature simplifies  configuration and maximizes the security appliance performance without  any security risks. (Group policy and per-user authorization access  lists still apply to the traffic.)

You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands  to create an access list and apply it to an interface. The access list  applies to the local IP address, and not to the original client IP  address used before the VPN packet was decrypted."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

It sounds like youve got this figured out (if so please mark the post as  resolved and remember to rate any posts that helped you).

Content for Community-Ad

This widget could not be displayed.