VPN Group-Policy

Unanswered Question
Oct 27th, 2008
User Badges:

Hi,


I have a site-to-site VPN setup with a client on pur PIX. The tunnel is currently using the default group policy, so access is only permitted to the customer servers. I would like to grant the customer site http access to one of our internal servers. Below is the config I have used. Once I'd applied the config below, I could no longer connect to any of the the customer servers.



access-list acl_client_access permit tcp host x.x.x.x host x.x.x.x eq http


group-policy gp_client internal

group-policy gp_client attributes

vpn-filter value acl_client_access

vpn-tunnel-protocol IPSec


tunnel-group x.x.x.x general-attributes

default-group-policy gp_client


Your help is appreciated.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 10/27/2008 - 06:05
User Badges:
  • Red, 2250 points or more

The direction of vpn-filter ACLs are a little tricky, have a look at this:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo


It would be nice if you can post the exact ACL outlinging the VPN pool and server IPs ( you maybe substiture them with any dummy address for security reasons...but x.x.x.x doesnt help much)


Regards


Farrukh

alraycisco Mon, 10/27/2008 - 08:25
User Badges:

Hi,


the access-list I mentioned above is configured to permit the client host to the ftp server and nothing else. All traffic is NAT 0'd.


I changed the access-list to also permit the internal subnet (my network) to the client subnet. Yet I still can't connect to the client machines anymore.


Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24


access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1

alraycisco Mon, 10/27/2008 - 09:03
User Badges:

I also tried the following acl:


access-list acl_client permit tcp host 192.168.2.1 host 192.168.1.1 eq 80

access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0



Farrukh Haroon Mon, 10/27/2008 - 12:46
User Badges:
  • Red, 2250 points or more

try to run a 'packet-tracer' command on this desired TCP flow and see what do you get.


Regards


Farrukh

alraycisco Wed, 10/29/2008 - 03:55
User Badges:

Hi,


The packet tracer shows the traffic being dropped by an access-list, but it doesn't say which one. The message I get is '(acl-drop) Flow is denied by configured rule'


Thanks

Farrukh Haroon Wed, 10/29/2008 - 04:02
User Badges:
  • Red, 2250 points or more

It does show the ACL name, just make sure you use the 'detailed' keyword after the command.


Regards


Farruk

alraycisco Wed, 10/29/2008 - 04:20
User Badges:

Hi,


If I add a permit ip any any to the accesslist being used by the vpn filter, this gives me access again to the customer hosts.


My understanding of the VPN filter is that I should be able to permit access from my subnet to the clients and also give the required access to the customer clients to get http access to my subnet.


I don't want to permit all access from the client subnet to mine, unless it was initiated from my subnet.

Farrukh Haroon Wed, 10/29/2008 - 04:28
User Badges:
  • Red, 2250 points or more

You would need o tell more details about the IP addressing to comment about the VPN filter, as a second step you can enable ALL IP traffic between the subnets (instead of specific ports). Then see if it works.


Regards


Farrukh

alraycisco Wed, 10/29/2008 - 04:45
User Badges:

Hi, the details are:


Internal Subnet: 192.168.1.0/24

Client Subnet: 192.168.2.0/24


We're not natting to anything currently.


The VPN filter acl is as follows:


access-list acl_client permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_client permit tcp 192.168.2.1 192.168.1.2 eq http


However, this results in no traffic being allowed from the internal subnet to the client subnet.


Thanks


Farrukh Haroon Wed, 10/29/2008 - 04:52
User Badges:
  • Red, 2250 points or more

It seems you did not read the document I posted earlier, here is the quote:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#backinfo


"An ACL that is used for a vpn-filter must not also be used for an interface access-group. When a vpn-filter is applied to a group-policy/user name mode that governs Remote Access VPN Client connections, the ACL must be configured with the *client* assigned IP addresses in the *src_ip position* of the ACL and the local network in the dest_ip position of the ACL"


So your ACL should be the other way around


access-list acl_client permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


Regards


Farrukh





alraycisco Wed, 10/29/2008 - 05:15
User Badges:

Hi,


I did have a look at the document you suggested. The only problem with having the acl that way round is that, I would then be permitting full access from the customer site to mine. I only want to allow http access that is inititaed from the client site. The rest of the traffic that is permitted should be initiated from my subnet.


Thanks

jsteffensen Wed, 05/06/2009 - 05:17
User Badges:

Hi alraycisco


As far as i know, this is not possible to do, since the VPN filters are "applied" bidirectionally.


I guess sending a feature-request to cisco, requesting them to change this, and make the access-list to behave as real acl's would be the thing to do.

Actions

This Discussion