Restricting Site to Site VPN traffic flow

Unanswered Question
Dec 8th, 2009
User Badges:

Hi guys,


I am getting my head round Cisco ASA's gradually. I am trying to understand what restricts site to site traffic.


We have a central ASA that hosts the main internet Gateway.


We have a branch with a PIX that has a site to site VPN connection.


I would like to understand how to restrict that branch site's internet access. Is there an ACL that I need to create/edit?


I've been looking at the ACL manager and I understand the ACLs being applied to the Inside / Outside / DMZ interfaces but cannot understand which ACLs apply to site to site VPN traffic.


Any advice helpful!!


Mario De Rosa

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 12/08/2009 - 13:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

marioderosa2008 wrote:


Hi guys,


I am getting my head round Cisco ASA's gradually. I am trying to understand what restricts site to site traffic.


We have a central ASA that hosts the main internet Gateway.


We have a branch with a PIX that has a site to site VPN connection.


I would like to understand how to restrict that branch site's internet access. Is there an ACL that I need to create/edit?


I've been looking at the ACL manager and I understand the ACLs being applied to the Inside / Outside / DMZ interfaces but cannot understand which ACLs apply to site to site VPN traffic.


Any advice helpful!!


Mario De Rosa


Mario


There are a number of subtleties to this.


1) If the command  "sysopt connection permit-vpn" is enabled then this allows any VPN traffic after being decrypted to bypass any acls on an interface ie. the VPN traffic is not checked against the acl.


2) If it is disabled ie. "no sysopt connection permit-vpn" then any decrypted VPN traffic is then checked against any acl applied to the interface


more details on the sysopt command -


https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217


3) The other way to filter VPN traffic on a site-to-site is to use the "vpn-filter" command -


https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1570975


Jon

marioderosa2008 Tue, 12/08/2009 - 14:27
User Badges:

Thanks for replying Jon.


I have inherited this ASA configuration so excuse me if it sounds as though I am not knowledgeable about how it is set up.


Firstly, i searched the configs for those commands and it appears that none of them are being used.


So, can I assume that because none of the commands are being used, the sysopt command is enabled by default and the remote branch office has complete unrestricted internet access? (Providing there is no kind of interface ACL on the branch F/W that is denying traffic.)


To help me understand this better, to control internet access at Central ASA firewall, what interface would I apply ACLs on? I have been trying to get my head around the different interfaces, would i just apply an ACL to the outside interface in the outbound direction?


Mario

Jon Marshall Tue, 12/08/2009 - 15:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

marioderosa2008 wrote:


Thanks for replying Jon.


I have inherited this ASA configuration so excuse me if it sounds as though I am not knowledgeable about how it is set up.


Firstly, i searched the configs for those commands and it appears that none of them are being used.


So, can I assume that because none of the commands are being used, the sysopt command is enabled by default and the remote branch office has complete unrestricted internet access? (Providing there is no kind of interface ACL on the branch F/W that is denying traffic.)


To help me understand this better, to control internet access at Central ASA firewall, what interface would I apply ACLs on? I have been trying to get my head around the different interfaces, would i just apply an ACL to the outside interface in the outbound direction?


Mario


Mario


Yes sysopt connection permit-vpn is enabled by default.


Not sure what you mean by unrestricted internet access. Does your remote branch connect to central site with a site-to-site VPN and then go back out of the ASA to the internet ?


Jon

marioderosa2008 Wed, 12/09/2009 - 11:54
User Badges:

Hi Jon,


this is the traffic flow...


BRANCH PIX ------>  CO ASA -------> INTERNET


What I would like to do is control internet access from the CO ASA. I am thinking that it is probably best to use the vpn-filter command in the tunnel group config context?


WHat do you think?


Mario

Mark DeLong Wed, 12/09/2009 - 19:06
User Badges:

The "vpn-filter" in group-policy or the user profile only works on ras vpns to my knowledge. Some in another post mentioned that it worked on l2tp vpns too but I've never done that so I cannot attest to it.



Thanks,


Mark

Mark DeLong Wed, 12/09/2009 - 19:33
User Badges:

The link that jon gave for the "vpn-filter" command implies that this only works on RAS VPNs but this link to a configuration guide for the command pretty much says it explicitly in the requirements section:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml


The VPN-Filter command cannot be used for site-to-site's nor had I ever heard of it being an option in tunnel-group mode. I just went into an ASA and checked a l2l tunnel as well as a remote access tunnel and didn't find it in either place so I'm pretty sure that it is only in group-policy and user policy and only for RAS VPN's and L2L VPN's unless this is a old PIX thing.



Thanks,


Mark

Jon Marshall Thu, 12/10/2009 - 02:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mark.delong1 wrote:


The link that jon gave for the "vpn-filter" command implies that this only works on RAS VPNs but this link to a configuration guide for the command pretty much says it explicitly in the requirements section:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml


The VPN-Filter command cannot be used for site-to-site's nor had I ever heard of it being an option in tunnel-group mode. I just went into an ASA and checked a l2l tunnel as well as a remote access tunnel and didn't find it in either place so I'm pretty sure that it is only in group-policy and user policy and only for RAS VPN's and L2L VPN's unless this is a old PIX thing.



Thanks,


Mark


Mark


I think vpn-filter can be used for site-to-site although personally i have never used it -


VPN filter


I haven't used ASA v8.x but i know that on previous versions that if you disable "sysopt connection permit-vpn" you don't need to allow ESP and IKE in your acl. You do on routers but not on the firewalls. In fact it is almost impossible to stop your firewall from listening for IPSEC connections .


I totally agree that internet access should be controlled by a proxy as you say.


Jon

Mark DeLong Wed, 12/09/2009 - 21:16
User Badges:

Restricting site to site VPN traffic and internet traffic are two different things. Internet traffic is best managed with an internet proxy server (websense or ISA or something) even though ASAs do have a litte bit of this functionality in this it is not really what they are built for. ASAs mainly are going to allow filtering based on IP address or tcp/udp ports and because internet filtering is best done by DNS name and URLs it won't be easy nor are there many options in the ASA to do this compared to a purpose build Internet Proxy server.


As far as vpn traffic goes you can limit it just like Jon said by turning of "sysopt connection permit-vpn" with it's no form. Then you have to allow in esp and isakmp on the outside inbound access-list from the remote vpn device's IP to the local VPN's outside IP. After this you must specifically permit any traffic that will go over the vpn also on this access-list. It would look a little something like this on the CO ASA:


config t

     no sysopt connection permit-vpn



#next we permit the encrypted VPN traffic from the remove firewall (these are the two neccessary protocols for an ipsec vpn):


     access-list outside_inbound permit esp host remote_firewall_outside_ip host local_firewall_outside_ip

     access-list outside_inbound permit upd host remote_firewall_outside_ip host local_firwall_outside_ip eq isakmp


#next we permit the unecrypted traffic. The IP addresses we use here will reflect your internal host IPs. I will use the 192.168.1.0 subnet at the branch and 192.168.2.0 subnet at the CO.


     access-list outside_inbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Be careful though as this configuration (specifically turning off "sysopt connection permit-vpn") affects all vpns getting terminated on any interface of the device. So once you turn this function off you will have to explicitly allow any vpn traffic encrypted and unencrypted, site to site, or ras on your access-list. You can see how this would start get pretty taxing on configuring allowed internet websites unless you were only allowing employees access to a handful and then denying everything else. Even then if the IPs changed to these websites you would have to reconfigure. If you are interested in the url filtering commands on the ASA then I would apply them to the to the egress interface for internet in an outbound direction rather than over the vpn and when using these most people block certain sites or services and then allow everything else. Once again because it is just too much configuration on an ASA to manage internet access. Much easier to do with a Internet Proxy as these have long downloaded lists of urls and dns names to block provided by the vendor and all you have to do is choose which categories to block.



Mark

marioderosa2008 Thu, 12/10/2009 - 07:50
User Badges:

Thanks for your input guys, i really appreciate it!!


I am going to look at my CO config so that I get a better understanding of the commands that you suggested Mark.


I have a lot of experience with ISA. So that is an option.


At the moment we just want to filter traffic based on protocol. Basically i would like to allow HTTP/S and a couple of others and then deny everything else.


I know how to create the ACL, I am just a bit shady as to where to apply the ACL.


Mario

Mark DeLong Fri, 12/11/2009 - 14:05
User Badges:

The ACL we are talking about is the one that is associated with the outside interface (it might be called something different but it is the one that is connected to WAN rather than the local network) of your ASA. (I was talking about this interface in my last post as you said you wanted to filter VPN traffic at the CO site but you could just as easily filter this traffic with an ACL on one of the interfaces on the PIX at your branch site and this would save you bandwidth over your VPN and make it so you didn't have to remove the sysopt connection permit-vpn statement from the ASA.)


If you don't know which acl is the right one to edit (as there is probably one already in place) just check out the "access-group" commands in your config. They will name the acl and the interface and the direction that the acl is applied in. As in most ASA's there is probably already an ACL applied in the inbound direction on the WAN inteface. This is the one that needs to have statements that explicitly allow your vpn traffic if you remove the sysopt connection permit-vpn statement. I supose there might not be an ACL on this interface if this is a brand new ASA ( i don't remember if there is a default one) but it probably already has one.


As far as what jon said on the not having to allow in esp and isakmp: He's right. For some reason I was thinking about routers. In a PIX or ASA this traffic is allowed with the command "crypto isakmp enable interface" and should already be in place if you already have an active VPN coming in an inteface. So you really only need to allow the VPN unecrypted traffic on this ACL. Though if you did add the statements to allow isakmp and esp it wouldn't hurt anything as long as you explicity defined the traffic as coming from the outside interface ip of the pix goign to the outside interface ip of the asa. If you wrote this less explicity like with an "any" in there somewhere you could be allowing ipsec vpns to passthrough your ASA which may not be your intent.


Attached is a diagram in case you are still not sure about which interface this acl should be on if you want to filter vpn traffic at the CO site as we had originally talked about. Remember that there is probably already an ACL in place and you are probably just going to want to add to it.



Cheers,


Mark

Mark DeLong Fri, 12/11/2009 - 14:14
User Badges:

Just in case I didn't say it too explicitly somewhere in that very verbose post:


ASA, Outside interface, Inbound Direction.



Thanks!


Mark

marioderosa2008 Wed, 12/16/2009 - 02:07
User Badges:

Hi Mark,


i appreciate your time on this.


So due to us having multiple remote sites and users, i think i should not disable the sysopt connection permit-vpn option on the CO firewall.


Then to restrict certain protocols over the VPN, i should apply an ACL on each branch PIX, either on the Inside Interface Inbound or Outside interface Outbound.


Correct??


Mario

Mark DeLong Thu, 12/17/2009 - 08:28
User Badges:

Mario,


I think that is a great idea! In the end I think it will give you a less complex config and it will be alot easier (even though you do have to config multiple devices). You are absolutely right on the direction of the ACLs on the interfaces. I would recommend the Outside interface if you want to filter traffic from multiple inside/DMZ intefaces on the PIX (all site traffic) going over the VPN. I would recommend you put the ACL on the inside interface (or any other one besides the WAN) if you are just trying to filter the traffic coming in that single interface going over the VPN.


There are two ways to write this ACL. The first way is you can deny specific traffic and then allow all other traffic by ending the ACL in a "permit ip any any". This is alot easier then the other method because you do not need to find out all of the protocols that are running over the network (not that you shouldn't if you have the time) and just have to know what you want to deny. It should also be noted that this way of writing an ACL is not appropriate for all situations (but it should be fine for this one).


The other way to write this ACL is to only permit the specific traffic that you want and then let the default "deny ip any any" statement that is at the end of all ACLs to drop all other packets. This is how we write our inbound ACLs on our WAN interfaces and it is doable in this situation too. What you are going to find though is that this often causes alot of phone calls and headaches because if don't put in some time and do a network protocol audit then you often end up blocking protols that are in use on your network that you didn't know about. Almost every network has many protocols in use that we often don't think of. So unless you got the time and want to get more aquainted with WireShark (or another handy protocl analyzer/sniffer) and you want really finite control of this traffic or have a really tight security policy I would suggest the first method.



Cheers,


Mark

Actions

This Discussion