ASA site to site using 0.0.0.0/0 proxies

Unanswered Question
Feb 4th, 2008

I was wondering if anyone has run into this issue before. A client's partner has required that any VPN connections to their Netscreen 208 be routed based and configured for a 0.0.0.0/0 local and remote proxy. I could see how this might be possible in an IOS VPN, but I don't see how it can be done in an ASA.

The firewall engineer for the other party suggested creating an interesting traffic ACL that excludes all networks not destined for their site and then an ANY ANY permit at the end. This seems like a disaster to even consider doing.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Mon, 02/04/2008 - 13:04

Just out of curiosity, is this ASA being used for internet connectivity or not. If this ASA is being used for internet connectivity, how are you going to exclude all those internet traffic and then have a permit any any. Unless, you are going to tunnel traffic including your internet traffic to the remote Netscreen Server and then route the traffic, permit any any is definitely not a good thing.

I am not saying that this will not work but what I am trying to imply is, this solution does not scale really well unless you want all traffic including your internet traffic to go across the ipsec tunnel.

Regards,

Arul

** Please rate all helpful posts **

skint Mon, 02/04/2008 - 13:16

I agree 100%, but for partner requirements to a large carrier, this is what they have imposed on us. I think it's an awful design as well, it's counterintuitive to the idea of interesting traffic.

With all that said, does this seem possible:

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 0.0.0.0 128.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 130.0.0.0 254.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 132.0.0.0 252.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 136.0.0.0 248.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 144.0.0.0 240.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 160.0.0.0 224.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 192.0.0.0 192.0.0.0

........

access-list vpn_dumbcarrier permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Just to allow the 129.0.0.0/8 block through? I feel like I'm at circus jumping through this many hoops.

acomiskey Mon, 02/04/2008 - 13:53

That should be fine up until the time when you have to create another vpn tunnel somewhere else. What is there solution for this? I guess at that point you would be entering another deny statement in your vpn_dumbcarrier acl.

Actions

This Discussion