Re: Access-Group on Outside not Filtering VPN Tunnel Traffic?

BRIAN SEKLECKI · ‎02-09-2006

1) Is there any way to adjust the "source address" behavior of traffic from the remote side of the IPSEC VPN? It appears to have a source-interface of the interface upon which the IPSEC VPN peer is reachable.

This is inevitably going to cause routing problems because the DMZ/Outside interfaces are public routable IP space and the Private/VPN are RFC1918 private.

2) Is there any reason why an access-group / access-list combination applied "inbound" to a DMZ or Outside interface would not match for traffic filtering from hosts/networks on the remote side of an IPSEC VPN tunnel?

TIA,

~BAS

BRIAN SEKLECKI · ‎02-09-2006

I'm gonna take a wild guess here: The ACLs inbound are evaluated PRIOR to the de-encapsulation of the IPSEC packet.

This is why OpenBSD has an "enc0" interface upon which you can apply ACLs to IPSEC/VPN traffic after the de-encapsulation.

Someone?

BRIAN SEKLECKI · ‎02-09-2006

OH MAN, it's worse than I thought.

Not only is traffic with source on the other side of the VPN tunnel, and destination a host on the Inside interface, NOT filtered by the inbound access-list on the the Outside interface, *but get this*:

If an inbound access-list applied to an Inside interface has an 'block ip any any' line, it does not catch "reply" traffic as it ingresses the Inside interface destined for hosts on the other side of the VPN tunnel (where it has to egress the Ouside interface and get re-encapsulated on it's way to the peer)

This is presumably because ASA has automatic reflexive access lists.

thamdani · ‎02-09-2006

Hi,

There is a command "sysopt connection permit-ipsec" which is doing all the trick.With this command in the firewall,It will allow all the ipsec traffic to comein the firewall.

If you want to filter/restric the ipsec traffic,remove this command "no sysopt connection permit-ipsec" from the config and configure access list for the traffic you want to permit/deny .

For the return traffic,as you rightly said ASA takes care of that by looking into various parameters.

Regards,

Tanveer

BRIAN SEKLECKI · ‎02-11-2006

Wow, thanks. I guess I should have questioned "permit-ipsec" and "isakmp enable outside" AND "crypto map WhateverMapName interface outside". It's just in all of the examples for obvious reasons. >:}

I guess I just assumed that "sysopt connection permit-ipsec" turned on IPSec globally in the OS kernel. The problem is that it's an ambiguous name. "ipsec-bypass-accesslist" would be more appropriate.

Is there any way to make IPSec traffic appear to enter the OS via a "meta" or "virtual" VPN/Tunnel interface upon which ACLs could be applied that do not overlap with "outside" -specific access-list/access-group?

TIA,

~lava

thamdani · ‎02-12-2006

No, we do not.However you can still use the access lits to filter the IPsec traffic .Once you remove the magical command ""sysopt connection permit-ipsec" then you can configure the access list with teh same name as already configured on the outside interface. Or I will suggest to configure the object group for VPN traffic to make it more organized .

Regards,

Tanveer