cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
5
Helpful
3
Replies

What controls what network resources VPN has access too?

rcmcdonald91
Level 1
Level 1

I understand how security levels work, but what about the VPN? Does VPN have a "security level"?

The biggest reason why this is confusing me is because the NAT rules I'm using to permit access from the VPN to internal interfaces seem like they should not work, but they do...

I've been told that NAT Exempt rules permit bi-directional traffic but only permit traffic initiated from an interface that has an appropriate ACL applied...

With that said, I would assume that these commands (in bold) would permit DMZ and Inside to initiate a connection destined for the VPN. Not the other way arround... I hope that makes sense. The connection is being initiated from a VPN client? Does the split tunntel ACL have anything to do with this?

Result of the command: "show run access-list"

access-list bcc_splitTunnelAcl standard permit inside-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit dmz-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit wifi-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn01-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0

access-list dmz_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn01-network 255.255.255.0


3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

The "dmz_nat0_outbound" access-list should be applied to your dmz interface as follows:

assuming the dmz interface is named dmz: nat (dmz) 0 access-list dmz_nat0_outbound.

The ACL is already correctly configured. If you just added the split tunnel access-list for the dmz, you would need to disconnect and reconnect from your vpn client for the split tunnel to take effect.

Hope that helps.

Yea I've done that.

I'm just wondering exactly why this ACL works in this case to permit a connection that was initiated by a VPN client. When it seems that this particular ACL command is actually for connections initiated from DMZ (or the inside).

Thanks

No, this access-list: access-list dmz_nat0_outbound extended permit ip dmz-network  255.255.255.0 vpn01-network 255.255.255.0

is allowing traffic from dmz network towards vpn ip pool, and it works bidirectionally.

Traffic initiated from VPN is allowed by default if you have "sysopt connection permit-vpn" configured. Otherwise, you would need to explicitly configure access-list on the outside interface to permit the vpn clear text traffic in.

The reason is if you are already VPN in, it is already considered safe, therefore the "sysopt connection permit-vpn" is enabled by default so there is no overhead in configuring more access-list on the outside interface. Also, if you configure ACL on the outside interface to allow the vpn pool in, there is a chance that someone might spoof the ip pool address, and initiate inbound connection from the outside in clear text.

If you would like to restrict traffic from VPN towards the internal/dmz network, you can use the "vpn-filter" feature on the group-policy to only allow specific access from the vpn pool subnet.

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: