block access on a site to site vpn

Unanswered Question
Jan 15th, 2008

I have a site to site VPN (between two ASA's)which works just fine, however we want to have control on:

1) the ability for bring up the VPN tunnel if only one site initiates traffic. If that site does not initiate traffic the tunnel should not come up

2) the ability for one site to access resources from the other site but not vice versa.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Tue, 01/22/2008 - 08:51

To make the vpn to come up only when one site is initiating traffic you will need to configure crypto ACL accordingly. The ability to make only one site to access resources from the other can also be configured by applying proper filters. Following links may help you

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080656460.html

matthew.gauger@... Wed, 01/23/2008 - 10:35

I'm trying to accomplish the same thing as ronshuster, but have not had any success. I didn't see much about VPN filters from the links above. There was some information on VPN filters here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

But I'm still not able to create the desired effect. The bi-directional explanation on that page is confusing. What I would like to be able to do is something like this:

access-list 100 extended permit ip

access-list 100 extended deny ip

And then apply that acl as a VPN filter to my site-to-site VPN connection. The link about talks about the remote subnet always being specified first with doing VPN filter acls, so I'm not sure that the above example is valid. When I try to do the above, traffic seems to be blocked in both directions.

To reiterate the desired setup:

Site-to-site VPN connection between my office and a client site. The connection should allow traffic to flow freely from everyone on my office subnet to the client subnet. But traffic should be blocked in the reverse direction (client subnet -> my subnet should not be allowed). Is this possible with VPN filter ACls? If so, can someone provide an example?

ronshuster Wed, 01/23/2008 - 11:08

HI Matthew,

This is what you need to add on the side that will initiate traffic:

ciscoasa(config)# crypto map outside_map 2 set connection-type originate-only

The set connection-type originate-only is to be applied on the side who

wants to originate the traffic no further commands need to be added on the

houston.

I am yet to find the answer to the other point, pls let me know if you figure it out.

acomiskey Wed, 01/23/2008 - 11:18

You have two options on restricting the traffic.

1. remove sysopt connection permit-ipsec or sysopt connection permit-vpn depending upon version. Then write the access in your regular interface acl's.

2. Apply a vpn-filter to the group policy of the tunnel-group. This doc explains how to do it for a remote access vpn but it is the same for lan to lan.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

matthew.gauger@... Wed, 01/23/2008 - 11:58

I would rather not do option 1, as it would complicate rule setups for other VPN connections in my configuration (and increase the likelihood that I mess something up and expose a security hole).

I can follow the examples for dial-up/remote access VPN connections, but nothing translates into a working configuration for my site-to-site VPN. First, there are no examples given of any deny rules; all the examples in that doc are:

access-list xyz permit ip any

When dial-up users are connected to my vpn, I can ping their pool IP from my internal subnet. So the analogy of what I'm trying to accomplish with site-to-site would be: allow dial-up users full access to the internal subnet, but prevent the internal subnet from being able to access the dial-up user. I've yet to see an example demonstrating this.

When I try:

access-list xyz permit ip

access-list xyz deny ip

and apply those rules as a vpn-filter to the group policy of the tunnel group for my site-to-site VPN, it ends up blocking traffic in both directions. Without those policies, I've tested the VPN connection and it works fine in both directions (client -> me, me -> client). But as soon as I try to block the client -> me traffic, it also kills traffic going the other direction. I'd love to see an actual working example of this.

acomiskey Wed, 01/23/2008 - 12:20

Yes, option 1 is uglier. I believe the vpn-filter acl is applied into the outside interface. So in your case it would not help. I thought you were trying to limit the access from the vpn client, but you actually want to limit the access to the vpn client. It also doesn't help to put the 2 acl's you tried because the internal subnet would never be the source since it is applied into the outside interface.

The easiest way to do that would be to create an acl applied into your inside interface.

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

sticano Wed, 01/23/2008 - 12:29

You can create a dynamic map on the side that you do not want to initiate traffic from. The other side will then be able to kick off the tunnel, while the dynamic side cannot. Coupled with the filter, you should be all set.

matthew.gauger@... Wed, 01/23/2008 - 13:00

Unfortunately, there isn't a cisco router/firewall on my client side, so my options are limited there.

I think there was some confusion in the previous post also. I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

The idea for the inside policy rule seemed intriguing, but it didn't seem to work. As soon as I put it in place, traffic in both directions was blocked again. I tried the rule the other way too (because it seemed backward to me), but that caused traffic to be blocked in both directions also:

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

matthew.gauger@... Wed, 01/23/2008 - 18:31

Ok, I think I found a potential solution, but I'm not 100% pleased with it...

I went back to the original/normal site-to-site VPN where both sides could freely access each other (client->me and me->client traffic both work). This is pretty much the standard site-to-site VPN shown in examples. The suggestion of adding this rule on my end:

access-list inside extended deny ip any

blocks things in the wrong direction (kills my access to the client). Instead, I created a similar rule *on my client's* firewall. Now there's isn't a cisco, but the rule is equivalent to:

access-list inside extended deny ip any

Now, from my internal subnet, I can still freely access the client subnet (me->client traffic). But the rule on their side prevents them from accessing me (client->me is blocked by their firewall).

The downside to this approach is that I have to trust them to keep that rule in place. If they decide they want to access my network over the VPN, they can simply disable that rule without my knowledge.

So ideally, I would still love it if there was a way to enforce the one-way VPN traffic restriction on my end. I think we've been getting close to a good solution with this thread... we just haven't hit it yet. Keep the suggestions coming!

trustcisco Tue, 01/29/2008 - 07:08

It seems that when i apply vpn filters to allow to everything from the client side applies correctly. But i cannot access client side from my lan at all.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

ronshuster Thu, 01/31/2008 - 05:19

I am yet to find an answer to my original question, that is: my site to site VPN is working, however all devices on one side can access all devices on the other and vice versa.

I have an object-group defined with all the private networks on each end, ie

access-list TUNNEL1 extended permit ip object-group INSIDE_NETWORK object-group OUTSIDE_NETWORK

crypto map outside_map 2 match address TUNNEL1

Now that it is fully open (and working), I need to restrict specific segments (in the object-groups) from accessing specific segments on the other side of the tunnel.

How is this done?

acomiskey Thu, 01/31/2008 - 08:47

Posted this before, but maybe it didnt work out. Use the vpn-filter option to filter the traffic.

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq xxx

etc.

trustcisco Thu, 01/31/2008 - 11:52

As i wrote above.The filter works.But you cannot access remote vpn subnet from the local subnet.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

acomiskey Fri, 02/01/2008 - 06:29

Those are really your only 2 options. Has the other guy in this thread tried the vpn-filter? I have used it before on a l2l tunnel and worked ok.

trustcisco Fri, 02/01/2008 - 17:14

I have tried vpn filter in L2L setup.

Although cisco claims that the filter works bidirectional it works only from the client side.The only thing that works biderectional is the icmp.

When i apply the vpn filter from my lan i cannot connect to the client side in any port.

This is the error i get every time i try to connect :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Where 172.16.10.0 is my lan and 192.168.1.0 is clients lan.

trustcisco Mon, 02/04/2008 - 06:07

Well i think i have found the solution to filter client side on the asa not exactly as i would like to, but hey, it's a step.

Vpn filtering works in L2L,to see it working make sure that you don't have PFS enable ..........

Every rule that you create works bidirectional, remember that.

pengfang Tue, 04/15/2008 - 06:13

Hi guys, hope not too late to join the club :) Here are my thought:

1 vpn-filter

As Cisco said," If TCP/UDP ports are not used with the access list, both sides can access each other", so I wrote the followed vpn-filter access-list, which can control traffic from remote site but allow all traffic to remote

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq # allow remote can access local specific tcp resource #

access-list vpnfilter extended permit udp eq # allow remote can access local specific udp resource #

access-list vpnfilter extended deny tcp any any # deny tcp traffic from remote to local #

access-list vpnfilter extended deny udp any any # deny udp traffic from remote to local #

access-list vpnfilter extended permit ip # allow local can access remote any resource, traffic originated from remote will never hit this access-list, they denied by above two ACLs#

If you want to deny all traffic from remote but allow all to remote, you can use followed vpn-filter access-list OR the second method

access-list vpnfilter extended deny tcp any any

access-list vpnfilter extended deny udp any any

access-list vpnfilter extended permit ip

2 outbound access-list on inside interface

access-list inside_access_out deny ip

access-list inside_access_out permit ip any any

access-group inside_access_out inside out

All codes not been verified, anyone could test it , please post the result, thanks.

HTH

Actions

This Discussion