Forcing authentication only on a predefined interface

Answered Question
Aug 27th, 2008

Hi,

Is there a way to set up a tunnel IPSEC for a certain group only on a predefined interface? And how?

The isamkp must be enabled on all interface, because I have tunnel on all interface..

Thank you.

Massimiliano.

Correct Answer by Farrukh Haroon about 8 years 6 months ago

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).


ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
massimiliano.se... Wed, 08/27/2008 - 23:27

Hi Farrukh.

Thank for your reply.


I've no VPN based on digital certificate...how can i obtain the same result?


Thank you.

Massimiliano.

Farrukh Haroon Wed, 08/27/2008 - 23:29

Two questions, which platform and the VPN type (L2L,RA IPSEC, etc?)


Regards


Farrukh

massimiliano.se... Wed, 08/27/2008 - 23:48

Hi,

The platform is a PIX 525 with OS 7.2

The type of VPN is IPSEC, client-to-gateway....the software is Cisco VPN Client for Linux.


Thank you.

Massimiliano.



Farrukh Haroon Thu, 08/28/2008 - 00:05

For the PIX you don't need to even control this! The host can only 'hit' the crypto map to which it is 'coming from'.


e.g Source IP for VPN client is 4.4.4.4. If this s reachable via the Outside interface (via default route), this host can ONLY access the 'outside' crypto map' It wont be able to access any crypto map applied on other interfaces like DMZ1 , WAN etc.


Regards


Farrukh

massimiliano.se... Thu, 08/28/2008 - 00:17

Hi Farrukh,

Another way to say what I need.

Say we have a firewall with two interfaces:outside and inside. I've credential (VPN Group and username and password)...we have isakmp enabled on outside and inside...i want that the user using the credential can access in VPN only on one interface (say inside); i don't want control the IP address..


Thank you.

Massimiliano.


P.S.: Another question...PIX or ASA support NetFlow?

Correct Answer
Farrukh Haroon Thu, 08/28/2008 - 00:23

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).


ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.


Regards


Farrukh

massimiliano.se... Thu, 08/28/2008 - 00:33

Hi Farrukh.

Can I made the distinction on which interface to use based on on group and username and password?


Massimiliano.


P.S.: Rating for your response regarding the Netflow and another question:)) How can I collect data (like Netflow) on a PIX/ASA?




Marwan ALshawi Thu, 08/28/2008 - 02:47

by the way if u use ACS for AAA authentication

there is otion called tunnel-group-lock

u can lock a user or group to a spesific vpn tunnel-group on the PIX/ASA


this will be group based on tunnel-group vpn


if helpful Rate

Farrukh Haroon Thu, 08/28/2008 - 03:12

How does that achieve the requirement? I'm sorry I must be missing something here.


Regards


Farrukh

Actions

This Discussion