VPN Group-Policy

Unanswered Question
Oct 27th, 2008

Hi,

I have a site-to-site VPN setup with a client on pur PIX. The tunnel is currently using the default group policy, so access is only permitted to the customer servers. I would like to grant the customer site http access to one of our internal servers. Below is the config I have used. Once I'd applied the config below, I could no longer connect to any of the the customer servers.

access-list acl_client_access permit tcp host x.x.x.x host x.x.x.x eq http

group-policy gp_client internal

group-policy gp_client attributes

vpn-filter value acl_client_access

vpn-tunnel-protocol IPSec

tunnel-group x.x.x.x general-attributes

default-group-policy gp_client

Your help is appreciated.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 10/27/2008 - 06:05

The direction of vpn-filter ACLs are a little tricky, have a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo

It would be nice if you can post the exact ACL outlinging the VPN pool and server IPs ( you maybe substiture them with any dummy address for security reasons...but x.x.x.x doesnt help much)

Regards

Farrukh

alraycisco Mon, 10/27/2008 - 08:25

Hi,

the access-list I mentioned above is configured to permit the client host to the ftp server and nothing else. All traffic is NAT 0'd.

I changed the access-list to also permit the internal subnet (my network) to the client subnet. Yet I still can't connect to the client machines anymore.

Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24

access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1

alraycisco Mon, 10/27/2008 - 09:03

I also tried the following acl:

access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1 eq 80

access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Farrukh Haroon Mon, 10/27/2008 - 12:46

try to run a 'packet-tracer' command on this desired TCP flow and see what do you get.

Regards

Farrukh

alraycisco Wed, 10/29/2008 - 03:55

Hi,

The packet tracer shows the traffic being dropped by an access-list, but it doesn't say which one. The message I get is '(acl-drop) Flow is denied by configured rule'

Thanks

Farrukh Haroon Wed, 10/29/2008 - 04:02

It does show the ACL name, just make sure you use the 'detailed' keyword after the command.

Regards

Farruk

alraycisco Wed, 10/29/2008 - 04:20

Hi,

If I add a permit ip any any to the accesslist being used by the vpn filter, this gives me access again to the customer hosts.

My understanding of the VPN filter is that I should be able to permit access from my subnet to the clients and also give the required access to the customer clients to get http access to my subnet.

I don't want to permit all access from the client subnet to mine, unless it was initiated from my subnet.

Farrukh Haroon Wed, 10/29/2008 - 04:28

You would need o tell more details about the IP addressing to comment about the VPN filter, as a second step you can enable ALL IP traffic between the subnets (instead of specific ports). Then see if it works.

Regards

Farrukh

alraycisco Wed, 10/29/2008 - 04:45

Hi, the details are:

Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24

We're not natting to anything currently.

The VPN filter acl is as follows:

access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_client permit tcp 192.168.2.1 192.168.1.2 eq http

However, this results in no traffic being allowed from the internal subnet to the client subnet.

Thanks

Farrukh Haroon Wed, 10/29/2008 - 04:52

It seems you did not read the document I posted earlier, here is the quote:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo

"An ACL that is used for a vpn-filter must not also be used for an interface access-group. When a vpn-filter is applied to a group-policy/user name mode that governs Remote Access VPN Client connections, the ACL must be configured with the *client* assigned IP addresses in the *src_ip position* of the ACL and the local network in the dest_ip position of the ACL"

So your ACL should be the other way around

access-list acl_client permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Regards

Farrukh

alraycisco Wed, 10/29/2008 - 05:15

Hi,

I did have a look at the document you suggested. The only problem with having the acl that way round is that, I would then be permitting full access from the customer site to mine. I only want to allow http access that is inititaed from the client site. The rest of the traffic that is permitted should be initiated from my subnet.

Thanks

jsteffensen Wed, 05/06/2009 - 05:17

Hi alraycisco

As far as i know, this is not possible to do, since the VPN filters are "applied" bidirectionally.

I guess sending a feature-request to cisco, requesting them to change this, and make the access-list to behave as real acl's would be the thing to do.

Actions

This Discussion