06-14-2007 12:20 AM
Hi to all,
I would like to know how I can filter the VPN traffic with an access-list, using the source address and the destination port like filters.
I have tried with "no sysopt connection permit-vpn" but it is for filter the traffic through the VPN tunnel and I want to filter the host that can establish the VPN tunnel.
I have done this in a router with this access-list:
access-list 101 remark VPN
access-list 101 permit ahp host x.x.x.x any
access-list 101 permit esp host x.x.x.x any log
access-list 101 permit esp host x.x.x.x any
access-list 101 permit udp host x.x.x.x any eq isakmp
access-list 101 permit udp host x.x.x.x any eq non500-isakmp
But I have tried the same in the ASA and doesn't work, I think that it is because the ASA doesn't apply the access-list to the VPN traffic.
Regards, Fernando.
Solved! Go to Solution.
06-15-2007 03:55 AM
Fernando
You can disable it with "no crypto isakmp enable outside" but then even if you apply an acl on the outside which allows all IP, ESP, AH it still will not allow an IPSEC connection.
So at the moment i can't see any way to achieve this without using an acl on your upstream router.
I'll do some reading just in case i've missed anything.
Jon
06-15-2007 02:22 AM
Hi Fernando
The ASA will apply the outside acl if you have disabled "sysopt connection permit-vpn" which you have.
Ihave just confirmed this in our lab. You don't need to include the IPSEC ports in your access-list just the connections from the clients you want to allow.
Could you send config and specify what type of connection you are trying to do ie. source IP address/destination IP address/port number.
Jon
06-15-2007 02:39 AM
Hi Jon,
First of all, thanks for your answer.
Probably I did't explain well before.
In the "Cisco Security Appliance Command
Reference - Software Version 7.2(2)*"
In the page 2597 - sysopt connection permit-vpn yo can find different things:
1?-) "By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you
do not need to allow IKE or ESP (or other types of VPN packets) in an interface access list."
And what I want to do is to disable this, to create my own access-list and then be able to filter the remote hosts that can establish a tunnel.
2?-) "You can require an interface access list to apply to the local IP addresses by entering the no sysopt
connection permit-vpn command. See the the access-list and access-group commands to create an
access list and apply it to an interface. ???The access list applies to the local IP address, and not to the
original client IP address used before the VPN packet was decrypted.!!!"
So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.
I hope to have explained better now.
* You can download the Command reference in this link:
http://www.cisco.com/en/US/products/ps6120/products_command_reference_book09186a0080610b36.html
Regards, Fernando.
06-15-2007 03:06 AM
Fernando
Apologies, i understand what you mean now. I have just done a bit more testing in lab and yes i could not filter based on the public source IP address.
The only thing i can suggest is do you have control of the upstream router that your ASA uses to connect to the Internet. You could use an acl there if you do.
Jon
06-15-2007 03:16 AM
Hi Jon,
Then, Are you confirming that there are not way for disable it on the ASA? If so, I will try to take access to the external routers and apply there the acl that you suggested.
Kind Regards, Fernando.
06-15-2007 03:55 AM
Fernando
You can disable it with "no crypto isakmp enable outside" but then even if you apply an acl on the outside which allows all IP, ESP, AH it still will not allow an IPSEC connection.
So at the moment i can't see any way to achieve this without using an acl on your upstream router.
I'll do some reading just in case i've missed anything.
Jon
06-15-2007 04:09 AM
Although that are bad news for me. Thank you very much for your help.
Regards, Fernando.
06-15-2007 05:58 AM
Hi guys,
I just want to make sure if I understand it correctly.
Do you want to prevent certain hosts from being able to establish vpn connections to the ASA?
I would think it should be possible when you remove the sysopt vpn-traffic command. you can then specifically allow only certain hosts to establish the connections using ACL on the outside interface.
Is this what you tested? It would be very strange if ASA allowed any vpn traffic no matter what ACL is configured.
2. if you want to filter the packets based on their original headers (before encryption/encapsulation then this is not possible. In older IOS router immages 12.3 the ACL was used 2: over the encrypted traffic and then after decryption. that's why it was possible. In ASA/PIX and later images 12.4 it is run only once against the encrypted traffic and all vpn traffic is allowed.
to do filtering you would have to apply outbound access-list to the inside interface.
06-15-2007 06:03 AM
Hi
I admit i was suprised too. If you remove sysopt permit connection-vpn and then have an access-list ie.
access-list outside_in deny ip any any
it will still allow a vpn client to connect. The only way i found to disable this altogether was to take off
crypto isakmp enable outside
but then no matter what i put in the acl on the outside interface i couldn't create a VPN connection.
Perhaps i missed something in my testing ?
Jon
06-15-2007 06:51 AM
Hi Jon,
I believe you applied the acl to the interface? just kidding :)
I am even more surprised because actually disabling sysopt permit is recommended security measure - you can then have strict control over which vpn peers can connect.
I will test it myself when I have some time.
06-15-2007 06:57 AM
Oh no, i forgot apply the access-list !!!. again - just kidding :-).
If you disable sysopt connection permit-vpn which as you say is a recommended security measure then you can filter ports and protocols allowed through but you can't seem to stop IPSEC connections.
One thing that may have affected my testing. I had to use "crypto isakmp nat-traversal" on my ASA so this may have affected my testing.
I'm out of the office until late next week but i'll test again without have a PAT device in the way and see what happens.
Let me know how you get on with your testing
Jon
06-15-2007 06:31 AM
Hi rkazmierczak,
As you can read in the command reference when you disable "sysopt connection permit-vpn" the outside access list is applied to the local IP address, and not to the
original client IP address used before the VPN packet was decrypted.
So that disable "sysopt connection permit-vpn" is not a valid solution.
I don't know if exist another option to do it and it is what I am looking for.
Regards, Fernando.
06-15-2007 06:44 AM
Hi Fernanddo,
DO you want to filter based on the original (lan) ip address or the vpn peers ip addresses?
06-15-2007 07:00 AM
Hi rkazmierczak,
I want to filter based on the vpn peers ip addresses being it a public IP.
But as I said before, if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.
You can try it by yourself and get surprised :-)
Regards, Fernando.
06-15-2007 07:39 AM
Hi!
If that is the case then it is a bug that should be reported to cisco. if I have an access-list on the outside interface:
permit udp host 1.1.1.1 any eq 500
permit esp host 1.1.1.1 any
with no sysopt connection permit-vpn
and let's say some vpn client with 2.2.2.2 can still initiate IKE exchange then this would be a serious flaw in my opinion.
The only explanation that comes to me at the moment is that the access-list applied to the interface blocks traffic going THROUGH the firewall not destined to/at the firwall interface. That's why you can have deny ip any any on the interface and still be able to ping the interface. (you have to use icmp permit to block pings to the ASA interface)
Anyway, quite interesting :)
rafal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide