ASA5520 7.2 - Filter VPN traffic

Answered Question
Jun 14th, 2007

Hi to all,

I would like to know how I can filter the VPN traffic with an access-list, using the source address and the destination port like filters.

I have tried with "no sysopt connection permit-vpn" but it is for filter the traffic through the VPN tunnel and I want to filter the host that can establish the VPN tunnel.

I have done this in a router with this access-list:

access-list 101 remark VPN

access-list 101 permit ahp host x.x.x.x any

access-list 101 permit esp host x.x.x.x any log

access-list 101 permit esp host x.x.x.x any

access-list 101 permit udp host x.x.x.x any eq isakmp

access-list 101 permit udp host x.x.x.x any eq non500-isakmp

But I have tried the same in the ASA and doesn't work, I think that it is because the ASA doesn't apply the access-list to the VPN traffic.

Regards, Fernando.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 6 months ago

Fernando

You can disable it with "no crypto isakmp enable outside" but then even if you apply an acl on the outside which allows all IP, ESP, AH it still will not allow an IPSEC connection.

So at the moment i can't see any way to achieve this without using an acl on your upstream router.

I'll do some reading just in case i've missed anything.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Fri, 06/15/2007 - 02:22

Hi Fernando

The ASA will apply the outside acl if you have disabled "sysopt connection permit-vpn" which you have.

Ihave just confirmed this in our lab. You don't need to include the IPSEC ports in your access-list just the connections from the clients you want to allow.

Could you send config and specify what type of connection you are trying to do ie. source IP address/destination IP address/port number.

Jon

networkingib Fri, 06/15/2007 - 02:39

Hi Jon,

First of all, thanks for your answer.

Probably I did't explain well before.

In the "Cisco Security Appliance Command

Reference - Software Version 7.2(2)*"

In the page 2597 - sysopt connection permit-vpn yo can find different things:

1?-) "By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you

do not need to allow IKE or ESP (or other types of VPN packets) in an interface access list."

And what I want to do is to disable this, to create my own access-list and then be able to filter the remote hosts that can establish a tunnel.

2?-) "You can require an interface access list to apply to the local IP addresses by entering the no sysopt

connection permit-vpn command. See the the access-list and access-group commands to create an

access list and apply it to an interface. ???The access list applies to the local IP address, and not to the

original client IP address used before the VPN packet was decrypted.!!!"

So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.

I hope to have explained better now.

* You can download the Command reference in this link:

http://www.cisco.com/en/US/products/ps6120/products_command_reference_book09186a0080610b36.html

Regards, Fernando.

Jon Marshall Fri, 06/15/2007 - 03:06

Fernando

Apologies, i understand what you mean now. I have just done a bit more testing in lab and yes i could not filter based on the public source IP address.

The only thing i can suggest is do you have control of the upstream router that your ASA uses to connect to the Internet. You could use an acl there if you do.

Jon

networkingib Fri, 06/15/2007 - 03:16

Hi Jon,

Then, Are you confirming that there are not way for disable it on the ASA? If so, I will try to take access to the external routers and apply there the acl that you suggested.

Kind Regards, Fernando.

Correct Answer
Jon Marshall Fri, 06/15/2007 - 03:55

Fernando

You can disable it with "no crypto isakmp enable outside" but then even if you apply an acl on the outside which allows all IP, ESP, AH it still will not allow an IPSEC connection.

So at the moment i can't see any way to achieve this without using an acl on your upstream router.

I'll do some reading just in case i've missed anything.

Jon

networkingib Fri, 06/15/2007 - 04:09

Although that are bad news for me. Thank you very much for your help.

Regards, Fernando.

rkazmierczak Fri, 06/15/2007 - 05:58

Hi guys,

I just want to make sure if I understand it correctly.

Do you want to prevent certain hosts from being able to establish vpn connections to the ASA?

I would think it should be possible when you remove the sysopt vpn-traffic command. you can then specifically allow only certain hosts to establish the connections using ACL on the outside interface.

Is this what you tested? It would be very strange if ASA allowed any vpn traffic no matter what ACL is configured.

2. if you want to filter the packets based on their original headers (before encryption/encapsulation then this is not possible. In older IOS router immages 12.3 the ACL was used 2: over the encrypted traffic and then after decryption. that's why it was possible. In ASA/PIX and later images 12.4 it is run only once against the encrypted traffic and all vpn traffic is allowed.

to do filtering you would have to apply outbound access-list to the inside interface.

Jon Marshall Fri, 06/15/2007 - 06:03

Hi

I admit i was suprised too. If you remove sysopt permit connection-vpn and then have an access-list ie.

access-list outside_in deny ip any any

it will still allow a vpn client to connect. The only way i found to disable this altogether was to take off

crypto isakmp enable outside

but then no matter what i put in the acl on the outside interface i couldn't create a VPN connection.

Perhaps i missed something in my testing ?

Jon

rkazmierczak Fri, 06/15/2007 - 06:51

Hi Jon,

I believe you applied the acl to the interface? just kidding :)

I am even more surprised because actually disabling sysopt permit is recommended security measure - you can then have strict control over which vpn peers can connect.

I will test it myself when I have some time.

Jon Marshall Fri, 06/15/2007 - 06:57

Oh no, i forgot apply the access-list !!!. again - just kidding :-).

If you disable sysopt connection permit-vpn which as you say is a recommended security measure then you can filter ports and protocols allowed through but you can't seem to stop IPSEC connections.

One thing that may have affected my testing. I had to use "crypto isakmp nat-traversal" on my ASA so this may have affected my testing.

I'm out of the office until late next week but i'll test again without have a PAT device in the way and see what happens.

Let me know how you get on with your testing

Jon

networkingib Fri, 06/15/2007 - 06:31

Hi rkazmierczak,

As you can read in the command reference when you disable "sysopt connection permit-vpn" the outside access list is applied to the local IP address, and not to the

original client IP address used before the VPN packet was decrypted.

So that disable "sysopt connection permit-vpn" is not a valid solution.

I don't know if exist another option to do it and it is what I am looking for.

Regards, Fernando.

rkazmierczak Fri, 06/15/2007 - 06:44

Hi Fernanddo,

DO you want to filter based on the original (lan) ip address or the vpn peers ip addresses?

networkingib Fri, 06/15/2007 - 07:00

Hi rkazmierczak,

I want to filter based on the vpn peers ip addresses being it a public IP.

But as I said before, if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.

You can try it by yourself and get surprised :-)

Regards, Fernando.

rkazmierczak Fri, 06/15/2007 - 07:39

Hi!

If that is the case then it is a bug that should be reported to cisco. if I have an access-list on the outside interface:

permit udp host 1.1.1.1 any eq 500

permit esp host 1.1.1.1 any

with no sysopt connection permit-vpn

and let's say some vpn client with 2.2.2.2 can still initiate IKE exchange then this would be a serious flaw in my opinion.

The only explanation that comes to me at the moment is that the access-list applied to the interface blocks traffic going THROUGH the firewall not destined to/at the firwall interface. That's why you can have deny ip any any on the interface and still be able to ping the interface. (you have to use icmp permit to block pings to the ASA interface)

Anyway, quite interesting :)

rafal

networkingib Fri, 06/15/2007 - 08:02

Hi,

According to the ASA command reference it is the normal use of "no sysopt connection permit-vpn" so that it doesn't seem to be a bug.

On the other hand I have tried is disabling sysopt connection permit-vpn and applying to the outside interface this acl:

deny esp any any

deny ip any any

And it continues allowing VPN connections.

Thanks for your interest.

Regards, Fernando.

Actions

This Discussion