cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
5
Helpful
11
Replies

Allow one-way traffic over VPN L2L tunnel

problem Details: Hi, we have one of our web servers compromised. The server is located in

ISP remote site. Remote site is connected to our main office with VPN tunnel. Here is

brief network diagram:

RBAnetwork(192.168.182.0)--VPNtunnel--ISPnetowk(10.5.0.x). In order to provide our main

network we disabled the VPN tunnel between two sites. We have to reconfigure the VPN

tunnel and achieve the following:

1. VPN tunnel should protect traffic between RBA and ISP sites;

2. traffic initiated from RBA to ISP must be allowed

3. all traffic (except for backup) initiated from ISP to RBA must be disabled so if the

web server gets compromised in the future, the RBA network is protected.

4. the web servers at ISP are self-contained and do not need access to RBA network. The

only type of access is when backup is performed so that type of traffic should allowed.

Pls provide with assistance with VPN

configuration.

Thanks

11 Replies 11

acomiskey
Level 10
Level 10

What are the devices?

On both end are ASA 5520 with 8.x software version.

This is how I would do it...configure the vpn as normal but add the following to the ISP-ASA.

ISP-ASA

no sysopt connection permit-vpn

access-list outside_access_in extended permit ip 192.168.182.0 255.255.255.0 10.5.0.0 255.255.255.0

access-group outside_access_in in interface outside

access-list inside_access_in extended permit (allow backup traffic here from 10.5.0.x to 192.168.182.x)

access-list inside_access_in extended deny ip 10.5.0.0 255.255.255.0 192.168.182.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

Thanks for prompt responce.

Would it be possible to setup at ISP side: crypto map outside_map 1 set connection-type answer-only

and on main office side: crypto map outside_map 1 set connection-type originate-only

and achive teh same result?

Doing that would only prevent the ISP side from bring up the vpn. Once the vpn was established by RBA end, it would not prevent the ISP side from initiating traffic over the tunnel.

following ports will have to be opened for backup and management from ISP:

80, 22, 5432, 8080

NOt quite sure how to setup access-list commands. Would you be so kind to enter one line for me?

access-list no_nat0 extended permit ip 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 80

access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 22

access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 5432

access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 8080

or you could be even more specific if you identified the exact ip addresses which were being backed up and to where.

access-list inside_access_in extended permit tcp host 10.5.0.x host 192.168.0.x eq 80

etc.

You have a very poor design. You should have

designed your VPN in such a way that your

VPN device is placed between a firewall.

That way, after the traffics have been

decrypted, the firewall will take over the

inspection. That way, you do not have to worry

about this.

my 2c.

Thanks for your input but did not quite help.

The VPN device is ASA 5510 capable of performing VPN tunnel and protect the network.

His vpn device is a firewall, so what advantage is there to using 2 devices instead of 1?

I confogred ACL on inside interface facing ISP allowing only certain type of traffic to pass. Looks like the problem is solved.

thanks for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: