What controls what network resources VPN has access too?

Unanswered Question
Apr 5th, 2010

I understand how security levels work, but what about the VPN? Does VPN have a "security level"?

The biggest reason why this is confusing me is because the NAT rules I'm using to permit access from the VPN to internal interfaces seem like they should not work, but they do...

I've been told that NAT Exempt rules permit bi-directional traffic but only permit traffic initiated from an interface that has an appropriate ACL applied...

With that said, I would assume that these commands (in bold) would permit DMZ and Inside to initiate a connection destined for the VPN. Not the other way arround... I hope that makes sense. The connection is being initiated from a VPN client? Does the split tunntel ACL have anything to do with this?

Result of the command: "show run access-list"

access-list bcc_splitTunnelAcl standard permit inside-network

access-list bcc_splitTunnelAcl standard permit dmz-network

access-list bcc_splitTunnelAcl standard permit wifi-network

access-list inside_nat0_outbound extended permit ip inside-network vpn01-network

access-list inside_nat0_outbound extended permit ip inside-network dmz-network

access-list inside_nat0_outbound extended permit ip inside-network wifi-network

access-list dmz_nat0_outbound extended permit ip dmz-network vpn01-network

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Mon, 04/05/2010 - 19:04

The "dmz_nat0_outbound" access-list should be applied to your dmz interface as follows:

assuming the dmz interface is named dmz: nat (dmz) 0 access-list dmz_nat0_outbound.

The ACL is already correctly configured. If you just added the split tunnel access-list for the dmz, you would need to disconnect and reconnect from your vpn client for the split tunnel to take effect.

Hope that helps.

rcmcdonald91 Mon, 04/05/2010 - 19:18

Yea I've done that.

I'm just wondering exactly why this ACL works in this case to permit a connection that was initiated by a VPN client. When it seems that this particular ACL command is actually for connections initiated from DMZ (or the inside).


Jennifer Halim Mon, 04/05/2010 - 19:26

No, this access-list: access-list dmz_nat0_outbound extended permit ip dmz-network vpn01-network

is allowing traffic from dmz network towards vpn ip pool, and it works bidirectionally.

Traffic initiated from VPN is allowed by default if you have "sysopt connection permit-vpn" configured. Otherwise, you would need to explicitly configure access-list on the outside interface to permit the vpn clear text traffic in.

The reason is if you are already VPN in, it is already considered safe, therefore the "sysopt connection permit-vpn" is enabled by default so there is no overhead in configuring more access-list on the outside interface. Also, if you configure ACL on the outside interface to allow the vpn pool in, there is a chance that someone might spoof the ip pool address, and initiate inbound connection from the outside in clear text.

If you would like to restrict traffic from VPN towards the internal/dmz network, you can use the "vpn-filter" feature on the group-policy to only allow specific access from the vpn pool subnet.

Hope that helps.


This Discussion