Using access rules to block certain VPN traffic help - Page 3

whiteford · ‎05-01-2008

Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.

It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?

I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?

andrew.prince · ‎05-08-2008

To answer your first question "what is this GRe VPN" this is Traffic encapsulated inside a GRE IP tunnel from one point to another point inside your network. The GRE tunnel traffic is then encrypted into a VPN tunnel by the edge Firewall/VPN devices. Primarly they are used to encapsulate multicast traffic (dynamic routing protocol) over a VPN - as VPN/IPSEC cannot encrypt/decrypt multicast traffic.

There is no simple solution to a simple network - as no 2 networks are the same, or have the same functional requirements.

The answer to your second question "What is this URL filtering option with Websense" It fileters on the URL - based on rules you define on who/what/when is allowed to access specific URLs/Content based on your companies IT/Security policy.

That's cool.

HTH.

whiteford · ‎05-08-2008

The URL sounds useful, all I need to do is filter these VPN's web activity. I guess this could solve the issue.

If I didn't have to filter any web activity then I would of had this all sorted ages ago.

andrew.prince · ‎05-09-2008

Well the 87x can perform URL filetering, all you need to do is configure it, the router passes on the requested URL to the websense server, and as I said based on rules - either instructs the router to allow the URL or deny!

You need to have the relevant IOS - "Software Advanced IP Services Feature Set" I belive...

Problem solved!

andrew.prince · ‎05-09-2008

just did a quick search and found this:-

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/prod_white_paper0900aecd804abb11.html

HTH.

whiteford · ‎05-09-2008

That look so good, I'm going to upgrade to Websense. From that documents I think I can tellthe remote 877 to look up the websense sever for web filtering evern if the seerver is at the other end of the VPN (like my scenario) - am I croorect Andrew?

andrew.prince · ‎05-09-2008

Yes - the 877 only needs to know how to "route" to the websense server, from the local routing table. And of course - the server needs to know how to get back to the 877 - once you have that, URL filtering should be working....as long as you have your filter rules in websense configured correctly of course!! ;o)

HTH.

whiteford · ‎05-09-2008

Sounds like the "model" solution Cisco are trying to use as it's built into the IOS too.

Looks like I could have a problem with the Cisco VPN Client though, I betthis doesn have the option.

andrew.prince · ‎05-09-2008

Actually there could be a fix, as the ASA is checking for URL's, since the traffic must be decrypted, and still pass-thu the ASA, you could use the below, as this has a high probability of working in your example:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

HTH.

whiteford · ‎05-09-2008

Very Interesting.

When I use the Cisco VPN Client all my traffic is forced over to the ASA, then inside for the LAN or straight back out if the Internet, so if you are right and I have the URL option for websense enabled then if should be picked up?

andrew.prince · ‎05-09-2008

Yep