Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Block Outgoing VPN Access

I need to prevent the ability of visitors who connect laptops into the network and access the Internet via VPN client software. I can block regular web browsing through our Websense server, but it does not block users who initiate VPN sessions from inside the network.

Thanks for any help.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Block Outgoing VPN Access

Dan,

The 2 acl's you currently have are not for the outside interface. One is for nat exemption and one is for split tunneling. These are for the vpn.

If you want to stop outbound vpn then use the acl config I posted above.

20 REPLIES
Community Member

Re: Block Outgoing VPN Access

access-list acl_outside deny udp any any eq 500

where acl_outside is your outside access list. This will effectively stop IKE traffic from the VPN peer they are connecting to.

Alternatively, you can apply this to an inside access list, if you have one.

Gold

Re: Block Outgoing VPN Access

you need to block *outgoing* connections to udp port 500. It won't do any good to block the incoming connections.

Community Member

Re: Block Outgoing VPN Access

I'm aware of that. However in the past I have found I had to open port 500 externally on my outside access list to allow VPN connections to be made from inside my network.

Community Member

Re: Block Outgoing VPN Access

That's the problem. We recently had a visitor that was able to bypass our security policy by connecting to the Internet from a VPN client installed on his laptop from inside our facility. I'm trying to block that in order to prevent that from happening again.

Community Member

Re: Block Outgoing VPN Access

Correct - the VPN device they are connecting to sends ESP traffic back through your firewall on port 500/udp. I have found by blocking this port the traffic does not come back to the client on my network, which is your desired result.

Community Member

Re: Block Outgoing VPN Access

Just block ESP and ISAKMP in your inside interface. That will take care of it.

e.g.

access-list access_inside_in extended deny ip any any 50

access-list access_inside_in extended deny udp any any 500

Community Member

Re: Block Outgoing VPN Access

Which is something else I mentioned in my first reply!

'Alternatively, you can apply this to an inside access list, if you have one.'

In quite a few cases I have seen no inside access list, which is why I suggested the outside interface first.

Community Member

Re: Block Outgoing VPN Access

Actually there is always an ACL apply to inside even if it is.

access-list inside_acces_in extended permit ip any any

Just insert the deny ACL's before the permits.

Community Member

Re: Block Outgoing VPN Access

Are you sure about that? It works even without an 'access-group inside_access_in in interface inside' config line?

I do not agree with your statement.

Community Member

Re: Block Outgoing VPN Access

Any PIX/ASA, FWSM by default will have an acl apply to the inside interface allowing all the traffic unless the user delete the acl and remove the access-group statement in the interface.

Community Member

Re: Block Outgoing VPN Access

Incorrect.

Interfaces have a security level. The higher the number, the more 'secure' it is.

By default traffic on a higher security level interface is permitted to pass onto a lower security level interface.

This is why traffic on your inside interface (security 100) is automatically permitted to pass onto your outside interface (security 0) unless you apply an access list to it.

Community Member

Re: Block Outgoing VPN Access

Anybody that know how the Adaptive Security Algorithm works in the PIX/ASA software knows that traffic from a higher security level will flow to a low security level without acl' or if there is no acl restricting the traffic. Still when you get the device out of the box it come with an acl apply to the inside allowing any traffic. If the device don't have an acl apply to inside it's because the user removed the acl. Which I really don't see a reason to don't have an acl in the inside of a firewall. So normally the most efficient and secure way to block traffic is blocking it in the nearest interface to the source, in this case the inside.

Community Member

Re: Block Outgoing VPN Access

I don't know very much about this, but there are only two acl's on this device, one for NAT and one for VPN split-tunneling. I would rather block it from the inside and absolutely not effect the external vpn users coming in. Would you guys mind taking a look at the configuration if I add it with the public addresses omitted?

Green

Re: Block Outgoing VPN Access

Rigoberto,

This is not correct...

access-list access_inside_in extended deny ip any any 50

access-list access_inside_in extended deny udp any any 500

It should be...

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

Community Member

Re: Block Outgoing VPN Access

Oops

Adam your absolutely right. I've been thinking too much in IP 50 lately. Dan I believe that nobody would mind if you post the config, at least I won't.

Community Member

Re: Block Outgoing VPN Access

Thanks so much for helping with this. I've attached the config to help clarify. I know the only two acl's on it now are for the outside interfaces only

Green

Re: Block Outgoing VPN Access

Dan,

The 2 acl's you currently have are not for the outside interface. One is for nat exemption and one is for split tunneling. These are for the vpn.

If you want to stop outbound vpn then use the acl config I posted above.

Community Member

Re: Block Outgoing VPN Access

You should move from conduits to ACL's

If you move to ACL's these should be what you need.

access-list access_outside_in extended permit tcp any host X.X.X.X eq 25

access-list access_outside_in extended permit tcp any host X.X.X.X eq 80

access-list access_outside_in extended permit tcp any host X.X.X.X eq 110

access-group access_outside_in in interface outside

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

HTH

Community Member

Re: Block Outgoing VPN Access

And remember to removed the conduits.

e.g.

no conduit permit icmp any any

BTW I forgot the acl for ICMP

access-list access_outside_in extended permit icmp any any

access-list access_outside_in extended permit tcp any host X.X.X.X eq 25

access-list access_outside_in extended permit tcp any host X.X.X.X eq 80

access-list access_outside_in extended permit tcp any host X.X.X.X eq 110

access-group access_outside_in in interface outside

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

HTH

Gold

Re: Block Outgoing VPN Access

Stick your 'guest' users on their own vlan, and restrict everything but 80/443 or something like that. That'll solve lots of other security issues with 'guest' access too.

5650
Views
29
Helpful
20
Replies
CreatePlease to create content