Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

Internet thru Remote VPN on ASA

johng231
Level 3
Level 3

‎12-02-2009 08:39 AM

Hello,

We are removing our legacy VPN concentrators and are using the ASA firewalls as the VPN enpoints for Remote/Eazy/L2L VPN access. Our policy is to allow full tunneling for the end users back to the corporate office, so they have Internet access with restricted outbound port level access. This was setup on the concentrator via the tunnel route feature, on the ASA we wouldn't need this because I intend to have the traffic route back out the way it came in on the outside interface. I've tested this out in the LAB and had it working. I have a few questions and concerns on how I had this to work.

1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?

2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?

3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.

Thanks,

John

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎12-02-2009 09:21 AM

Hi John, let me try to answer your quesitons:

1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?

2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?

- Both of this will have the security concern that a normal host going out to the internet will have, of course, controlling the access to internet which can be done via vpn filters might help by making sure that the only allowed ports/hosts are permitted to go thru.

The security concerns that I might see here are more relevant to the host accessing the internet rather than the platform (ASA) itself AFAIK there are no issues on the platform whith this kind of configuration.

3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.

- In this you can use vpn filters, check the link below, just bare in mind that this filters are based on IP and TCP/UDP ports and cannot use dns names to restrict traffic through.

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

hth

Ivan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents