Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
12
Helpful
14
Replies

Forcing authentication only on a predefined interface

Go to solution
massimiliano.serafino
Level 4
Level 4

‎08-27-2008 02:27 AM

Hi,

Is there a way to set up a tunnel IPSEC for a certain group only on a predefined interface? And how?

The isamkp must be enabled on all interface, because I have tunnel on all interface..

Thank you.

Massimiliano.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to massimiliano.serafino

‎08-28-2008 12:23 AM

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).

ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.

Regards

Farrukh

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-27-2008 12:08 PM

For digital certificate based VPNs you can do it like this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftdnacl.html

Regards

Farrukh

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Farrukh Haroon

‎08-27-2008 11:27 PM

Hi Farrukh.

Thank for your reply.

I've no VPN based on digital certificate...how can i obtain the same result?

Thank you.

Massimiliano.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to massimiliano.serafino

‎08-27-2008 11:29 PM

Two questions, which platform and the VPN type (L2L,RA IPSEC, etc?)

Regards

Farrukh

0 Helpful

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Farrukh Haroon

‎08-27-2008 11:48 PM

Hi,

The platform is a PIX 525 with OS 7.2

The type of VPN is IPSEC, client-to-gateway....the software is Cisco VPN Client for Linux.

Thank you.

Massimiliano.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to massimiliano.serafino

‎08-28-2008 12:05 AM

For the PIX you don't need to even control this! The host can only 'hit' the crypto map to which it is 'coming from'.

e.g Source IP for VPN client is 4.4.4.4. If this s reachable via the Outside interface (via default route), this host can ONLY access the 'outside' crypto map' It wont be able to access any crypto map applied on other interfaces like DMZ1 , WAN etc.

Regards

Farrukh

0 Helpful

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Farrukh Haroon

‎08-28-2008 12:17 AM

Hi Farrukh,

Another way to say what I need.

Say we have a firewall with two interfaces:outside and inside. I've credential (VPN Group and username and password)...we have isakmp enabled on outside and inside...i want that the user using the credential can access in VPN only on one interface (say inside); i don't want control the IP address..

Thank you.

Massimiliano.

P.S.: Another question...PIX or ASA support NetFlow?

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to massimiliano.serafino

‎08-28-2008 12:23 AM

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).

ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.

Regards

Farrukh

0 Helpful

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Farrukh Haroon

‎08-28-2008 12:33 AM

Hi Farrukh.

Can I made the distinction on which interface to use based on on group and username and password?

Massimiliano.

P.S.: Rating for your response regarding the Netflow and another question:)) How can I collect data (like Netflow) on a PIX/ASA?

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to massimiliano.serafino

‎08-28-2008 12:41 AM

Thank you for the rating :).

As I said you need an ASA 5580 for that:

http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html

No I don't think you can make it based on groups or usernames. You have to use IPs.

Regards

Farrukh

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Farrukh Haroon

‎08-28-2008 12:43 AM

Thanks.

Massimiliano.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-28-2008 02:47 AM

by the way if u use ACS for AAA authentication

there is otion called tunnel-group-lock

u can lock a user or group to a spesific vpn tunnel-group on the PIX/ASA

this will be group based on tunnel-group vpn

if helpful Rate

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Marwan ALshawi

‎08-28-2008 03:12 AM

How does that achieve the requirement? I'm sorry I must be missing something here.

Regards

Farrukh

0 Helpful

Go to solution
massimiliano.serafino
Level 4
Level 4
In response to Marwan ALshawi

‎08-28-2008 06:09 AM

Hi,

But I want lock a group to a particular interface...

Massimiliano.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents