cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4105
Views
0
Helpful
39
Replies

Using access rules to block certain VPN traffic help

whiteford
Level 1
Level 1

Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.

It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?

I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?

39 Replies 39

acomiskey
Level 10
Level 10

You have 2 options.

vpn-filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or something like this, acl on outside interface...

no sysopt connection permi-vpn

access-list vpn extended permit ip 172.19.15.0 255.255.255.0

access-list vpn extended permit ip 172.19.15.0 255.255.255.0

access-group vpn in interface outside

The rules you added before were not working because of "sysopt connection permit-ipsec". This command allows ipsec traffic to bypass interface acl's on the ASA.

Hi,

1.) So by default my ASA is allowing my ipsec traffic to ignore rules on my interfaces and just by adding "no sysopt connection permi-vpn" will mean I have to create rules for subnets/hosts as they wont have access after? I don't see ""sysopt connection permit-ipsec"" currently in my config.

2.) What does "access-group vpn in interface outside" do, is "vpn" a group I have to create?

3.) For my knowledge I take it's best practise to have this kind of setup rather than my current as it means I can control the network better, but how can I allow any internet traffic through the tunnel and back out of the outside interface?

access-list vpn extended permit ip 172.19.15.0 255.255.255.0 any eq http?

Sorry for these questions

1. Yes. Try a "show run sysopt".

2. That just creates an access-list on the outside interface. "vpn" is just a name. It could very well be...

access-list ...

access-group in interface outside

3. Depends if you want that control or not. You don't need to create a rule to allow the internet traffic out the outside interface. The outside acl is only for traffic passing between interfaces, not going back out the same interface it came in on.

1. Here is my output:

ASA5520-1# sh run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt noproxyarp inside

sysopt noproxyarp DMZ1_Web_Servers

sysopt connection permit-vpn

no sysopt connection reclassify-vpn

Also what is "no sysopt radius ignore-secret" I use RADIUS for my Cisco Client VPN connections?

2.) thanks

3.) Thing is the Internet traffic will eventually have to be routed inside first then somehow backout (yet to workout how to do this) so our Websense/Surfcontrol can monitor the traffic, I take it this will create a problem with the access lists?

"no sysopt connection permi-vpn" worked. I stopped the tunnel then after the VPN came back up but couldn't connect to anything, but as soon as I started to add access rules to the outside then things started to come up.

What do you think about question 3? I will need to push Internet traffice inbound to a web filter server then back out, what sort of rule will that require?

Thanks

You need to add a tunneled route.

route inside 0.0.0.0 0.0.0.0 tunneled

That should make all traffic from ipsec clients go to your webfilter first.

Hope that helps. Please rate helpful posts.

Hi there,

1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?

2.) Could I point it to a gateway router inside the network which pushes all the traffic to the ASA, that way it passes the filter server on VLAN2 (diag)? If so what router could do this? I only have a spare 877 DSL router, although if it worked I could get a 1800.

I have a simple diag of the setup attached

1.) Where is the name server located?

2.) I believe when using the tunneled keyword, the route must point to a device on the same subnet as the inside interface of ASA.

Hi,

1.) My DNS servers are located on an inside on subnet 192.168.21.x the DHCP scope for the users on the VPN's point to these already and resolve names to IP's.

2.) The IP of the inside interface is 129.101.10.50/24 so would the device have to be on this subnet? And in the VLAN2 of the diag?

3.) Or can I point it to another internal subnet?

4.) This device has to be some sort of router?

If we can solve this I will be the happiest man alive.

I still have hopes that this scenario can work.

"1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?"

-Are the dns servers on the same subnet as the filter? If so, it should work. If not then have you considered also adding something like this...

route inside 255.255.255.255 tunneled

I hope you can stick with me on this whie I test this, I've been stuck for weeks on this.

The DNS servers are on the 192.168.21.x subnet and the surfcontrol webfilter is on 129.101.10.x/24 subnet.

Will:

route inside 255.255.255.255 tunneled

route the traffic inbound to my DNS (which forwards to our ISP external DNS server)? This could then be sent back outbound via vlan2 then "seen" by the filter server?

That's the idea but was merely a guess.

Can you post more of your ASA config and a little topology of where all these subnets are? That would be helpful. Also, what's the filter ip? Nevermind, found it on your diagram.

Let me see if I have this right.

Inside ASA - 129.101.10.50/16

Filter IP - 129.101.10.66/16

DNS Server - 192.168.21.x

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.100.52

edit: This won't work

route inside 255.255.255.255 tunneled

tunneled routes must be default routes only.

What do you need from the config it's huge, example of routes etc?

Inside ASA - 129.101.10.50/16 VLAN2

Filter IP - 129.101.10.66/16 VLAN2

DNS Server - 192.168.21.1

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.10.70 - this goes into Nortel core switches which has multiple vlan/subnets like 192.168.20.x, 192.168.21.x cores do the rest.

Let me know what you need, if I need to buy a router to simplify then I can too.

Hi,

Quote

"edit: This won't work

route inside 255.255.255.255 tunneled

tunneled routes must be default routes only. "

What does this mean? Does it mean I can only do route inside 0.0.0.0 0.0.0.0 tunneled ?