For my users to access TCP80, I have to allow >1023 inbound. Alternatives?

Unanswered Question
Sep 10th, 2008

I have a L2L VPN tunnel created with a vendor. I have a set of users whom need to access a web server, just TCP 80 I am advised.

Naturally, I am going to filter what this vendor can access on my network. The vendor doesn't get to access anything the vendor wants. I'm going to use the "vpn-filter" command to deploy an ACL on the group-policy. The group-policy is locked to a tunnel group.

I have found that in order for my users to just get a reply from the web server, I have to put a line in my vpn-filter ACL like the one below.

access-list VENDER-ACL line 8 extended permit tcp object-group VENDER-SERVERS eq www gt 1023

If I put this line in "inactive" mode, then no replies to the SYNs even return to my clients. If I activate this line, then my users can access this web server, a complete TCP handshake occurs and http passes back and forth.

I do not like what this ACL really says. This ACL says that the vendors servers can access ANY TCP port over 1023 on my clients if they know to source the connection attempt from TCP 80. If NMAP can spoof a source port, then anything else can.

Cisco's DOCs say that the vpn-filter is stateful. Having to put a line like line 8 above doesn't seem very stateful at all.

I do not like this. Is there any way around this, is there a real stateful solution?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 09/10/2008 - 10:49

I quit using the vpn-filter a long time ago. I think the easier/better solution is to just disable sysopt connection permit-ipsec and write the acl in your regular outside access list. Unfortunately this is a global setting, so any other ipsec traffic you have will need to be specifically allowed in the acl as well.

bnidacoc Wed, 09/10/2008 - 11:08


I've noticed other references to disabling that "sysopt connection permit-ipsec/permit-vpn", but I wasn't sure that other people's issues were the same as mine.

Does Cisco publish a doc detailing all the gotchas one might run into when disabling this? Does it detail all the considerations and configurations one would have to make? Would the ACLs be genuinely stateful after that, i.e I will not need an ACL line that allows access to ports above 1023?

I'm not that solid on the matter of L2L access control (AC). Would I then use the interface ACLs to grant and permit access? in the case of AC with tunneled networks, would the ACL need the pre-xlated IPs or the post-xlated IPs on the side local?

It is really discouraging as it appears that Cisco didn't make this vpn-filter stateful.

acomiskey Wed, 09/10/2008 - 11:23

The sysopt option allows all ipsec traffic to bypass your interface acls. So by removing it, the traffic is inspected just like any other traffic traversing interfaces in the firewall. Yes, it is stateful and you would not need the source port acl.

Yes, you would use interface acls to control the access.

bnidacoc Wed, 09/10/2008 - 12:16

Thanks, acomiskey

OK. So if we have other L2L VPNs which we do not want to limit access (we currently have no vpn-filter defined on these group-policies), then I would create an ACL like such

ACL to-internet permit ip

access-group to-internet out interface outside

ACL from-internet permit ip

access-group from-internet in interface outside

where is the remote site network and this is NAT-EXEMPT.

And if I have this with the vender where I policy NAT internal hosts to going to the vender's network…

ACL to-internet permit tcp tcp object-group VENDER-SERVERS eq 80

And for my RA VPN laptops,

ACL from-internet permit udp any host (OUTSIDE INTERFACE IP) eq 500

ACL from-internet permit udp any host (OUTSIDE INTERFACE IP) eq 4500

Anyone think I might be missing something?


acomiskey Wed, 09/10/2008 - 12:31

You don't need these ones...

And for my RA VPN laptops,

ACL from-internet permit udp any host (OUTSIDE INTERFACE IP) eq 500

ACL from-internet permit udp any host (OUTSIDE INTERFACE IP) eq 4500

This is not traffic traversing the interface, it is landing on it. But you would need something like.....

ACL from-internet permit ip

access-group from-internet in interface outside

Another thing I though I would mention, I'm assuming you currently have an acl applied out interface outside? ...and this is the acl which is being hit when you try vpn-filter? Are you using that acl for anything? If not you could remove it and you would not have to do the >1023 when using vpn-filter. Hope that makes sense.


This Discussion