Using access rules to block certain VPN traffic help

Unanswered Question
May 1st, 2008
User Badges:

Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.


It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?


I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 05/01/2008 - 08:10
User Badges:
  • Green, 3000 points or more

You have 2 options.


vpn-filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml


Or something like this, acl on outside interface...


no sysopt connection permi-vpn

access-list vpn extended permit ip 172.19.15.0 255.255.255.0

access-list vpn extended permit ip 172.19.15.0 255.255.255.0


access-group vpn in interface outside


The rules you added before were not working because of "sysopt connection permit-ipsec". This command allows ipsec traffic to bypass interface acl's on the ASA.

whiteford Thu, 05/01/2008 - 11:22
User Badges:

Hi,


1.) So by default my ASA is allowing my ipsec traffic to ignore rules on my interfaces and just by adding "no sysopt connection permi-vpn" will mean I have to create rules for subnets/hosts as they wont have access after? I don't see ""sysopt connection permit-ipsec"" currently in my config.


2.) What does "access-group vpn in interface outside" do, is "vpn" a group I have to create?


3.) For my knowledge I take it's best practise to have this kind of setup rather than my current as it means I can control the network better, but how can I allow any internet traffic through the tunnel and back out of the outside interface?


access-list vpn extended permit ip 172.19.15.0 255.255.255.0 any eq http?


Sorry for these questions

acomiskey Thu, 05/01/2008 - 11:46
User Badges:
  • Green, 3000 points or more

1. Yes. Try a "show run sysopt".


2. That just creates an access-list on the outside interface. "vpn" is just a name. It could very well be...


access-list ...

access-group in interface outside


3. Depends if you want that control or not. You don't need to create a rule to allow the internet traffic out the outside interface. The outside acl is only for traffic passing between interfaces, not going back out the same interface it came in on.

whiteford Thu, 05/01/2008 - 12:20
User Badges:

1. Here is my output:


ASA5520-1# sh run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt noproxyarp inside

sysopt noproxyarp DMZ1_Web_Servers

sysopt connection permit-vpn

no sysopt connection reclassify-vpn


Also what is "no sysopt radius ignore-secret" I use RADIUS for my Cisco Client VPN connections?


2.) thanks


3.) Thing is the Internet traffic will eventually have to be routed inside first then somehow backout (yet to workout how to do this) so our Websense/Surfcontrol can monitor the traffic, I take it this will create a problem with the access lists?

whiteford Fri, 05/02/2008 - 02:59
User Badges:

"no sysopt connection permi-vpn" worked. I stopped the tunnel then after the VPN came back up but couldn't connect to anything, but as soon as I started to add access rules to the outside then things started to come up.


What do you think about question 3? I will need to push Internet traffice inbound to a web filter server then back out, what sort of rule will that require?


Thanks

acomiskey Fri, 05/02/2008 - 06:53
User Badges:
  • Green, 3000 points or more

You need to add a tunneled route.


route inside 0.0.0.0 0.0.0.0 tunneled


That should make all traffic from ipsec clients go to your webfilter first.


Hope that helps. Please rate helpful posts.

whiteford Fri, 05/02/2008 - 07:32
User Badges:

Hi there,


1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?


2.) Could I point it to a gateway router inside the network which pushes all the traffic to the ASA, that way it passes the filter server on VLAN2 (diag)? If so what router could do this? I only have a spare 877 DSL router, although if it worked I could get a 1800.


I have a simple diag of the setup attached



Attachment: 
acomiskey Fri, 05/02/2008 - 09:16
User Badges:
  • Green, 3000 points or more

1.) Where is the name server located?


2.) I believe when using the tunneled keyword, the route must point to a device on the same subnet as the inside interface of ASA.

whiteford Fri, 05/02/2008 - 10:07
User Badges:

Hi,

1.) My DNS servers are located on an inside on subnet 192.168.21.x the DHCP scope for the users on the VPN's point to these already and resolve names to IP's.


2.) The IP of the inside interface is 129.101.10.50/24 so would the device have to be on this subnet? And in the VLAN2 of the diag?


3.) Or can I point it to another internal subnet?


4.) This device has to be some sort of router?


If we can solve this I will be the happiest man alive.




acomiskey Fri, 05/02/2008 - 10:12
User Badges:
  • Green, 3000 points or more

I still have hopes that this scenario can work.


"1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?"


-Are the dns servers on the same subnet as the filter? If so, it should work. If not then have you considered also adding something like this...


route inside 255.255.255.255 tunneled

whiteford Fri, 05/02/2008 - 10:17
User Badges:

I hope you can stick with me on this whie I test this, I've been stuck for weeks on this.


The DNS servers are on the 192.168.21.x subnet and the surfcontrol webfilter is on 129.101.10.x/24 subnet.


Will:


route inside 255.255.255.255 tunneled


route the traffic inbound to my DNS (which forwards to our ISP external DNS server)? This could then be sent back outbound via vlan2 then "seen" by the filter server?


acomiskey Fri, 05/02/2008 - 10:22
User Badges:
  • Green, 3000 points or more

That's the idea but was merely a guess.


Can you post more of your ASA config and a little topology of where all these subnets are? That would be helpful. Also, what's the filter ip? Nevermind, found it on your diagram.


Let me see if I have this right.


Inside ASA - 129.101.10.50/16

Filter IP - 129.101.10.66/16

DNS Server - 192.168.21.x

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.100.52


edit: This won't work

route inside 255.255.255.255 tunneled


tunneled routes must be default routes only.

whiteford Fri, 05/02/2008 - 10:53
User Badges:

What do you need from the config it's huge, example of routes etc?


Inside ASA - 129.101.10.50/16 VLAN2

Filter IP - 129.101.10.66/16 VLAN2

DNS Server - 192.168.21.1

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.10.70 - this goes into Nortel core switches which has multiple vlan/subnets like 192.168.20.x, 192.168.21.x cores do the rest.


Let me know what you need, if I need to buy a router to simplify then I can too.

whiteford Tue, 05/06/2008 - 00:06
User Badges:

Hi,


Quote


"edit: This won't work

route inside 255.255.255.255 tunneled


tunneled routes must be default routes only. "



What does this mean? Does it mean I can only do route inside 0.0.0.0 0.0.0.0 tunneled ?

whiteford Wed, 05/07/2008 - 00:46
User Badges:

Hi Acomiskey,


Back at work today to start on this. I don't seem to have a spare router to put in VLAN 2 as you suggested, which is the VLAN for the Inside interface of the ASA. I only have a Cisco 837 and an old Cisco Pix 515.


I have been allowed to buy a Cisco 1841, do you think this would be ok? If it doesn't work we have another project for it.


it only has 2 FE ports, but I guess I will only be using 1 of those ports to plug into the VALN2?

whiteford Thu, 05/08/2008 - 04:08
User Badges:

Will I have yet.


As you may of read the Internet doesn't come "inside" and I somehow need to push the traffic inside then backout again so it's see by VLAN2.


If been looking into the Tunnel Default Gateway option:


"route inside 0.0.0.0 0.0.0.0 tunneled"


I have been told the gateway IP can only be an IP that is in the same subnet as the inside interface of the ASA, so VLAN 2.


I have ordered a Cisco 1841 to test with, but am not sure what to add to this router when I get it. I guess I could just route all the traffic to the inside ASA or our Core nortel LAN switch?


I'm open to any suggestions

Is it just for http/https traffic - or all internet traffic.


1) One idea could be to force the remote end's to use proxy settings in their internet browsers? those proxy settings would point to your websense server


2) Another idea would be to have GRE tunnels from the remote ends into the core router, the IPSEC sa would only be the two endpoint IP addresses on the tunnels (nice and easy) then you point your default route at the remote ends into the tunnels i.e.


ip route 0.0.0.0 0.0.0.0 <>


Once the traffic comes out of the tunnel it is subject to the core routers acl's and the websense server.


I do option 2 in my network, it works well for me.

whiteford Thu, 05/08/2008 - 06:52
User Badges:

I went for option 2:


But got this syslog error:


Error ASA5520-1 : Deny tcp src inside:172.19.15.11/1992 dst outside:212.58.253.75/80 by access-group "inside_access_in" [0x0, 0x0]


I then added a rule on the inside interface to allow 172.19.15.0/24 to any on tcp/http and udp/domain but then got nothing in the syslog server and no webpage displayed, is it a NAT issue now or a route back?


I added: ip route 0.0.0.0 0.0.0.0 <>


tunnel point being the gateway ip of inside core switch then is in VLAN2 - correct?

You created the GRE tunnels?


If you are using a proxy server - you should never see a packet with the source of the remote network, in the ASA if the traffic is routing over the GRE - thru trhe proxy server. You should only see http/tcp traffic with a destination of the internet with the source address of the proxy server?


I am presuming you have a default route in your core layer 3 devices pointing to your proxy server? and a default route in your proxy server pointing to your ASA?

whiteford Thu, 05/08/2008 - 07:34
User Badges:

Hi Andrew I think I have missed a lot here.


I just have a simple IPsec site-to-site VPN from a Cisco 877 to my Cisco ASA. I don't have a proxy server, just my SurfControl Webfilter server in VLAN 2. In VLAN to there is also the link to the Core LAN switches, I added the tunneled route and pointed it to that switch.


Then I noticed the deny rules appear on the ASA when I tried to get to www.bbc.co.uk from the remote network, which is the first time I have ever seen traffic appear on the ASA from this site-to-site so at first I was pleased.


Just need to know if it's going out to the website and if it's not getting back to the PC, pathping and traceroute are being unhelpful to.

whiteford Thu, 05/08/2008 - 07:44
User Badges:

Sure, liet me go off and get that, in the mean time I did find this in the logs, does this show at least the response is going out to the internet?


ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)

whiteford Thu, 05/08/2008 - 07:48
User Badges:

I have this rule:


access-list inside_access_in extended permit ip 172.19.15.0 255.255.255.0 any

To be honest - I cannot see the tunnled IP route working for you, reading the below:-


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd8060b477.html


You are trying to do the whole thing in one device, can't see how that is going to work.


For instance - you posted "ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)"


Can't see why the ASA would actually route that return traffic back to the remote site and encrypt it at the same time - without nating it, not to mention by the looks of it, the ASA is confused on what to actually do with the packet.


Sorry - I am not convinced this will work. I will stand corrected, but basic routing logic defies this.

whiteford Thu, 05/08/2008 - 07:57
User Badges:

Unless this router I get can help? If I add it to that VLAN 2 and force any traffic back to the inside of the ASA to take care of as it has all the routes on there? Possibe?


The 1841 has 2 FE's I guess I would only need 1 of the ports and give it and IP that the VLAN 2 subnet is setup with, then that way I can eliminate any routing issue in the LAN where it might get lost.



Adding the extra rotuer - that is possible, but in my opionion it starts to get very complicated, to say the least.


Also in the url I posted was a policy based routing example which could help with this, no need for an extra router, as you have your core device. There is also GRE, as I said before - which would work, as I have it working in my environment.


HTH.



whiteford Thu, 05/08/2008 - 08:06
User Badges:

Sorry for the basic question what is this GRe VPN?


Currently I have 40 VPN's going through my Cisco Concentrator, but am trying to plan the move over tothe ASA's.


in an idea world what woudl be the simplist solution? What is this URL filtering option with Websense?


We use Surfcontrol which has just been bought by Websense and will be upgrading at some point?



To answer your first question "what is this GRe VPN" this is Traffic encapsulated inside a GRE IP tunnel from one point to another point inside your network. The GRE tunnel traffic is then encrypted into a VPN tunnel by the edge Firewall/VPN devices. Primarly they are used to encapsulate multicast traffic (dynamic routing protocol) over a VPN - as VPN/IPSEC cannot encrypt/decrypt multicast traffic.


There is no simple solution to a simple network - as no 2 networks are the same, or have the same functional requirements.


The answer to your second question "What is this URL filtering option with Websense" It fileters on the URL - based on rules you define on who/what/when is allowed to access specific URLs/Content based on your companies IT/Security policy.


That's cool.


HTH.

whiteford Thu, 05/08/2008 - 23:48
User Badges:

The URL sounds useful, all I need to do is filter these VPN's web activity. I guess this could solve the issue.


If I didn't have to filter any web activity then I would of had this all sorted ages ago.

Well the 87x can perform URL filetering, all you need to do is configure it, the router passes on the requested URL to the websense server, and as I said based on rules - either instructs the router to allow the URL or deny!


You need to have the relevant IOS - "Software Advanced IP Services Feature Set" I belive...


Problem solved!


whiteford Fri, 05/09/2008 - 06:27
User Badges:

That look so good, I'm going to upgrade to Websense. From that documents I think I can tellthe remote 877 to look up the websense sever for web filtering evern if the seerver is at the other end of the VPN (like my scenario) - am I croorect Andrew?

Yes - the 877 only needs to know how to "route" to the websense server, from the local routing table. And of course - the server needs to know how to get back to the 877 - once you have that, URL filtering should be working....as long as you have your filter rules in websense configured correctly of course!! ;o)


HTH.

whiteford Fri, 05/09/2008 - 07:18
User Badges:

Sounds like the "model" solution Cisco are trying to use as it's built into the IOS too.


Looks like I could have a problem with the Cisco VPN Client though, I betthis doesn have the option.

whiteford Fri, 05/09/2008 - 07:30
User Badges:

Very Interesting.


When I use the Cisco VPN Client all my traffic is forced over to the ASA, then inside for the LAN or straight back out if the Internet, so if you are right and I have the URL option for websense enabled then if should be picked up?

Actions

This Discussion