asymmetric access control in site to site vpn

Unanswered Question
Jun 29th, 2010
User Badges:

Hi,


I'm trying to set up a site to site VPN between my two ASA 5510 ver 8.3. Both site A and site B can access each other without any problem. Is it possible to configure the site A firewall so that site A can fully access site B but site B can only access a subset of traffic to site A?


I have tried the followings at site A but it wouldn't stop the traffic from site B:

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

Thanks,

Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jkawabat Tue, 06/29/2010 - 06:35
User Badges:

For testing, you could also check the acl defined on the crypto map on both sides as part of the interesting traffic that will flow over the tunnel.

simon.law Tue, 06/29/2010 - 19:13
User Badges:

acl for "inbound" works only from site B.


Is there any way at site A to specify the traffic to accept from site B?


Thanks,

Simon

Walter Lopez Tue, 06/29/2010 - 19:52
User Badges:
  • Cisco Employee,

Simon,


Another way to do that will be using VPN Filter ACL. You can use this link as reference:


http://www.cisco.com/application/pdf/paws/99103/pix-asa-vpn-filter.pdf


The Filter will work just locally in the ASA that has this set up. This will allow or drop the traffic that is coming from site B to site A.


**** Note: Please be sure you create the ACL in the correct way (Source as destination and destination as source, see link above).

simon.law Wed, 06/30/2010 - 22:51
User Badges:

Hi Walter,


I think this is what I needed, I'll try it out.


Thanks very much for your help.


Simon.

simon.law Fri, 07/02/2010 - 02:16
User Badges:

Hi Walter,


vpn-filter is no good for my situation, it's still basically bi-directional. I achieve fully asymmetric control by using "no sysopt connection permit-vpn" together with acl on my outside interface. However, I feel uncomfortable of using private addresses on the outside interface. Do you know if there is any security risk of doing this?


Thanks,

Simon

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn

command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

simon.law Fri, 07/02/2010 - 02:33
User Badges:

Hi Andrew,


Suppose I don't trust the remote site, is it possible to configure the "local" firewall to allow all outgoing traffic but deny all incoming traffic by using group policy and per-user access lists?


Thanks,

Simon

simon.law Fri, 07/02/2010 - 02:55
User Badges:

Hi Andrew,


Sorry, I'm confused. Were you referring to your email on June 29 of writing an acl for the inbound on the inside interface on the remote site to stop traffic to site a?


Thanks,

Simon

That is a possibility, listen you have various options available to you.  I personaly resitrict traffic as close to the "source" as possible, this heps me troubleshoot.


Since you actually want to restrict traffic once it has arrived at site A, you have 2 options.


1) Filter the "inbound" traffic from site B via an acl on the VPN profile after it's decrypted @ site A

2) Filter the "inboud" trarrfic from site B via an ACL and apply it on the "inside" interface in the "outbound" direction.


HTH>

simon.law Sat, 07/03/2010 - 21:19
User Badges:

Hi Andrew,


Is option (1) using vpn-filter?


I did try option (2) but it wouldn't stop any traffic. What I did was as follows in site A

   access-list inside_access_out extended deny ip any any

   access-group inside_access_out out interface inside

Am I missing something?


Thanks,

Simon

simon.law Sun, 07/04/2010 - 02:26
User Badges:

Hi Andrew,


Please find attached my configurations.


I have two local networks maxbel-lan and ktm-lan. I am trying to

- allow all traffic from maxbel-lan to remote-site

- stop all traffic from remote-site to maxbel-lan

- allow only rdp from ktm-lan to remote-site

- allow only rdp from remote-site to ktm-lan


I tried the followings for testing but it wouldn't stop traffic from remote-site to ktm-lan:

  access-list ktm-lan_access_out extended deny ip any any

  access-group ktm-lan_access_out out interface ktm-lan


Thanks,

Simon

Attachment: 
Gaston Bougie Sun, 07/04/2010 - 06:18
User Badges:

Hi Simon,


I think Andrew pointed you in the right  direction, but you need the "no" statement before "sysopt connection  permit-vpn".

This stops all vpn traffic unless you specify an  access-list.


Regards,

Gaston Bougie

simon.law Sun, 07/04/2010 - 20:17
User Badges:

Hi Gaston,


I did get it to work using "no sysopt connection permit-vpn" but the acl needs to be applied to the outside interface. I feel so uncomfortable allowing access from the outside interface and I am looking for an alternate solution.


Thanks,

Simon

simon.law Mon, 07/05/2010 - 02:02
User Badges:

Hi Andrew,


Yes, I would like to block VPN traffic from other site to the LAN. Can you please let me know how I can do it?


Thanks,

Simon

Well considering it's an "inside" interface I would do something like:-


access-list inside-out deny tcp > <> eq <>

access-list inside-out deny udp > <> eq <>

access-list inside-out permit ip any any


access-group inside-out out interface inside


Restrict what you don't want them to do - then permit everything else.  Remember this is placed on the "outbound" on the interface, so you do need the permit IP any any, otherwise nothing else will be allowed onto the LAN!


HTH>

simon.law Mon, 07/05/2010 - 03:11
User Badges:

Hi Andrew,


I just tried the followings but it wouldn't stop the traffic:

access-list ktm_access_out deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out permit ip any any
access-group ktm_access_out out interface ktm


Actually, running-config shows them as

access-list ktm_access_out extended deny tcp object remote-lan object ktm-lan eq 3389
access-list ktm_access_out extended permit ip any any

access-group ktm_access_out out interface ktm

The acl is not triggered at all according to the log.


Thanks,

Simon

simon.law Mon, 07/05/2010 - 03:37
User Badges:

Hi Andrew,


I tried the followings but it still doesn't work.

access-list ktm_access_out deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-group ktm_access_out out interface ktm


When I run show running-config, they became

access-list ktm_access_out extended deny tcp 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0 eq 3389
access-list ktm_access_out extended permit ip any any
access-group ktm_access_out out interface ktm


Mine is an ASA 5510 at ver 8.31.

Thanks,

Simon

Actions

This Discussion