Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1154
Views
0
Helpful
3
Replies

ASA site to site using 0.0.0.0/0 proxies

skint
Level 1
Level 1

‎02-04-2008 09:06 AM

I was wondering if anyone has run into this issue before. A client's partner has required that any VPN connections to their Netscreen 208 be routed based and configured for a 0.0.0.0/0 local and remote proxy. I could see how this might be possible in an IOS VPN, but I don't see how it can be done in an ASA.

The firewall engineer for the other party suggested creating an interesting traffic ACL that excludes all networks not destined for their site and then an ANY ANY permit at the end. This seems like a disaster to even consider doing.

Labels:
0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎02-04-2008 01:04 PM

Just out of curiosity, is this ASA being used for internet connectivity or not. If this ASA is being used for internet connectivity, how are you going to exclude all those internet traffic and then have a permit any any. Unless, you are going to tunnel traffic including your internet traffic to the remote Netscreen Server and then route the traffic, permit any any is definitely not a good thing.

I am not saying that this will not work but what I am trying to imply is, this solution does not scale really well unless you want all traffic including your internet traffic to go across the ipsec tunnel.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

skint
Level 1
Level 1
In response to ajagadee

‎02-04-2008 01:16 PM

I agree 100%, but for partner requirements to a large carrier, this is what they have imposed on us. I think it's an awful design as well, it's counterintuitive to the idea of interesting traffic.

With all that said, does this seem possible:

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 0.0.0.0 128.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 130.0.0.0 254.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 132.0.0.0 252.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 136.0.0.0 248.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 144.0.0.0 240.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 160.0.0.0 224.0.0.0

access-list vpn_dumbcarrier deny ip 0.0.0.0 0.0.0.0 192.0.0.0 192.0.0.0

........

access-list vpn_dumbcarrier permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Just to allow the 129.0.0.0/8 block through? I feel like I'm at circus jumping through this many hoops.

0 Helpful

acomiskey
Level 10
Level 10
In response to skint

‎02-04-2008 01:53 PM

That should be fine up until the time when you have to create another vpn tunnel somewhere else. What is there solution for this? I guess at that point you would be entering another deny statement in your vpn_dumbcarrier acl.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents