Internet thru Remote VPN on ASA

Unanswered Question
Dec 2nd, 2009

Hello,

We are removing our legacy VPN concentrators and are using the ASA firewalls as the VPN enpoints for Remote/Eazy/L2L VPN access. Our policy is to allow full tunneling for the end users back to the corporate office, so they have Internet access with restricted outbound port level access. This was setup on the concentrator via the tunnel route feature, on the ASA we wouldn't need this because I intend to have the traffic route back out the way it came in on the outside interface. I've tested this out in the LAB and had it working. I have a few questions and concerns on how I had this to work.

1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?

2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?

3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 12/02/2009 - 09:21

Hi John, let me try to answer your quesitons:

1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?

2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?

- Both of this will have the security concern that a normal host going out to the internet will have, of course, controlling the access to internet which can be done via vpn filters might help by making sure that the only allowed ports/hosts are permitted to go thru.

The security concerns that I might see here are more relevant to the host accessing the internet rather than the platform (ASA) itself AFAIK there are no issues on the platform whith this kind of configuration.

3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.

- In this you can use vpn filters, check the link below, just bare in mind that this filters are based on IP and TCP/UDP ports and cannot use dns names to restrict traffic through.

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

hth

Ivan

Actions

This Discussion