08-30-2007 12:22 PM - edited 03-11-2019 04:04 AM
Greetings, this is my first post to this list so please forgive me if this is a silly question or Ive somehow missed an answer in searching the forum archives. I did find some similar previous questions but didnt see how I could apply them directly to my situation. So here goes...
Im familar with firewalls/vpns but not so much with cisco pix's. I have a PIX 515 running v6.1 and what I think should be a simple VPN access-list question but cant seem to figure it out
Essentially this is my layout
172.16.0.0/16 ---- pix ----- internet ---- pcs with cisco vpn client
With the following Ive enabled a split tunnel ipsec vpn for roaming clients who have a 4.x cisco vpn client and presently when the tunnel comes up all traffic is allowed from the client to the internal network
aaa-server RADIUS (inside) host 172.16.0.3 ********** timeout 5
access-list sw_vpn_clt_nonat permit ip 172.16.0.0 255.255.0.0 192.168.254.0 255.255.255.0
ip local pool sw_vpn_clt_pool 192.168.254.1-192.168.254.254
nat (inside) 0 access-list sw_vpn_clt_nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup jetvpn address-pool sw_vpn_clt_pool
vpngroup jetvpn dns-server 172.16.0.7
vpngroup jetvpn default-domain jasper.jasperengines.com
vpngroup jetvpn idle-time 7200
vpngroup jetvpn password *************
vpngroup jetvpn split-tunnel sw_vpn_clt_nonat
What Id like to do is tighten down that vpn tunnel substansially with an acl to allow only access to a few internal resources. From my simple understanding 'sysopt connection permit-ipsec' is whats allowing all traffic to pass thru the tunnel when it comes up. And sure enough if I remove that command the tunnel will come up but not allow me to pass traffic.
So at that point Im unsure where to add the ACL to allow only what I want to pass thru the VPN. It seems presently theres a dynamic acl thats built per connection, eg:
JETPIX# show crypto map
Crypto Map: "mymap" interfaces: { outside }
client configuration address initiate
client configuration address respond
client authentication RADIUS
Crypto Map "mymap" 10 ipsec-isakmp
Dynamic map template tag: dynmap
Crypto Map "mymap" 30 ipsec-isakmp
Peer = 51.28.133.45
access-list dynacl337 permit ip any host 192.168.254.30 (hitcnt=52)
dynamic (created from dynamic map dynmap/10)
JETPIX# show access-list
...
access-list dynacl337 permit ip any host 192.168.254.30 (hitcnt=52)
...
So Im prone to think I need to somehow change my 'crypto dynamic-map' command to refer to a list, but Ive had no luck with that.
Any help any one could provide would be greatly appreciated.
-Mike
Solved! Go to Solution.
08-30-2007 02:16 PM
Mike,
Thanks for the descriptive post. I hope we can help.
If you remove sysopt connection permit-ipsec you will write the access you want to allow in an outside acl like so...
access-list outside_access_in permit ip
access-list outside_access_in permit ip
etc.
access-group outside_access_in in interface outside
Option 2 would be to use split tunneling
access-list split_tunnel_acl standard permit host x.x.x.1
access-list split_tunnel_acl standard permit host x.x.x.2
vpngroup jetvpn split-tunnel split_tunnel_acl
note: I also noticed that you used the same acl for your nat 0 and your split tunnel...you should always use different acl's even if they contain the same entries.
Hope this helps.
08-30-2007 02:16 PM
Mike,
Thanks for the descriptive post. I hope we can help.
If you remove sysopt connection permit-ipsec you will write the access you want to allow in an outside acl like so...
access-list outside_access_in permit ip
access-list outside_access_in permit ip
etc.
access-group outside_access_in in interface outside
Option 2 would be to use split tunneling
access-list split_tunnel_acl standard permit host x.x.x.1
access-list split_tunnel_acl standard permit host x.x.x.2
vpngroup jetvpn split-tunnel split_tunnel_acl
note: I also noticed that you used the same acl for your nat 0 and your split tunnel...you should always use different acl's even if they contain the same entries.
Hope this helps.
08-31-2007 06:52 AM
Thanks! Thats very helpful. Ill give it a try and post my results.
I do have a question: You note I'm using the same acl for my nat 0 and split tunnel; you suggest I should always use different acl's even if they contain the same entries.
Im guessing you proposed that just so I wouldnt inadvertantly break something by making a change to an ACL that affected 2 things when I really may just want it to be a change for one? Or is there a larger reason that Im missing?
08-31-2007 11:05 AM
hum. no such luck, with option2; the following completely blocked all vpn client traffic, and a 'sysopt connection permit-ipsec' is all that would allow it to pass again, though my acl had no effect.
no vpngroup jetvpn split-tunnel sw_vpn_clt_nonat
access-list sw_vpn_clt_acl permit tcp 172.16.0.0 255.255.0.0 192.168.254.0 255.255.255.0
access-list sw_vpn_clt_acl permit tcp 192.168.254.0 255.255.255.0 host 172.16.0.87 eq 1494
access-list sw_vpn_clt_acl permit icmp any any
vpngroup jetvpn split-tunnel sw_vpn_clt_acl
no sysopt connection permit-ipsec
your first option worked great though... thanks very much for all your help
08-31-2007 11:12 AM
Your split tunnel acl that you tried doesn't really make sense. Which network is the remote network? 172.16 or 192.168? You also want to change tcp to ip in the first statement and you should not narrow it down to individual ports like you did in the second statement. The drawbacks of doing it that way I guess.
You have to look at it as not really creating a detailed access-list, all you are doing is defining which hosts you are allowing access to over the tunnel.
Oh, and when you do option 2 you have to leave in the sysopt command!
Glad the first option worked out. Thanks for the rating.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: