Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29541
Views
29
Helpful
11
Replies

Apply an ACL to a VPN tunnel

Go to solution
khuysmans
Level 1
Level 1

‎02-17-2006 03:14 PM - edited ‎02-21-2020 02:15 PM

Hi,

My PIX is currently set up to allow all IPSEC traffic to enter my network (sysopt connection permit-ipsec). I would like to change this so that I can define what traffic is allowed in (and out).

My setup is simple (imo). I only have the default outside & inside interfaces. I am assuming that I can control the "outgoing VPN traffic" in an inbound ACL on the inside interface.

But how do I control what traffic is allowed inbound over the VPN tunnel? I have no interface to apply this to since it's a VPN tunnel.

And I cannot apply it to the outside interface, I think, since traffic that arrives on that interface is ESP traffic, so encrypted and I obviously want to be able to define what is allowed in based on what the decrypted packet looks like.

Any thoughts anyone?

Thanks and regards,

Kevin

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
michelcaissie
Level 1
Level 1
In response to khuysmans

‎02-21-2006 12:55 PM

IPSEC traffic is decrypted before going through the outside acl.When going through the acl, Source and Destination addresses correspond to the real IPs. So to accomplish what you want is easy , just remove the sysopt connection permit-ipsec, and modify your outside acl , using the real IPs as Source and Destination.

For example, you have a lan2lan vpn with your inside network at 10.10.10.0 /24 and a remote inside network at 172.20.0.0 /16 , and you want to give this network access to a web server at 10.10.10.33 just add a line

access-list acl_out permit tcp 172.20.0.0 255.255.0.0 host 10.10.10.33 eq 80

access-group acl_out in interface outside

acl_out will end up with a mix of public and private Source address and it's ok , the PIX don't care.

View solution in original post

11 Replies 11

Go to solution
Patrick Iseli
Level 7
Level 7

‎02-18-2006 09:09 PM

In this example you will find 3 Access-lists:

1.) Access-list acs-outside controls who can connect from the Internet and establish/open a IPSEC

2.)Access-list NONAT disables NAT from the Local networks to the VPN Peer network.

3.)Access-list VPN and < crypto map REMOTE 10 match address VPN > controls what traffic will be encrypted. If you just want to allow a specific host and protocol to be encrypted/allowed through the tunnel than this is the place to control it.

Example:

PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP

PIX(config)# access-group acs-outside in interface outside

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

Hope that helps ?

sincerely

Patrick

Go to solution
khuysmans
Level 1
Level 1
In response to Patrick Iseli

‎02-20-2006 03:22 AM

Hi,

Thank you for your reply, Patrick. It was helpful.

You have illustrated (amongst other things) how to establish an ACL on traffic originating in my internal network and bound for the external network (ACL "TRANS").

I am wondering however how I can control/limit the traffic coming fróm the external network. Let's say I want to configure it in such a way that only 3 hosts in the external network are allowed to reach 2 specific hosts in my network. The other way arround I want to allow my entire internal network to contact the entire external network (which is pretty much how ACL "TRANS" has configure it).

With kind regards,

Kevin

0 Helpful

Go to solution
khuysmans
Level 1
Level 1

‎02-21-2006 03:07 AM

Hi,

It is still unclear to me how to apply an ACL to traffic incoming over the VPN tunnel.

Can anyone shed some light on this please?

regards,

Kevin

0 Helpful

Go to solution
thamdani
Cisco Employee
Cisco Employee
In response to khuysmans

‎02-21-2006 03:32 AM

Hi Kevin,

If you are using fix firewall software ver. below 7.x then you will have to remove the command "sysopt connection permit-ipsec" from the configuration which tells the pix to allow all the ipsec traffic bydefault.

After you remove this command then you configure the access list or add the access list to the existing access list applied on the outside interface to allow the specifc IPSEC traffic which you want to allow.

Regards,

Tanveer

Go to solution
khuysmans
Level 1
Level 1
In response to thamdani

‎02-21-2006 03:42 AM

Hello Tanveer,

Will the ACL I would apply to the outside interface be able to interpret the encrypted traffic? Meaning, will it apply the ACL -after- the traffic was decrypted?

Also, is there a way to apply the ACL to traffic coming from 1 specific peer? I have multiple tunnels running on the PIX and I am wondering how to define an incoming ACL on each.

regards,

Kevin

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to khuysmans

‎02-21-2006 07:02 AM

Kevin,

Use the VPN access-list to control which host can use/pass trough the VPN tunnel ! The outside ACL just permits which Internet host can open/establish a VPN Tunnel but it does not control what is in the Tunnel.

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

sincerely

Patrick

Go to solution
khuysmans
Level 1
Level 1
In response to Patrick Iseli

‎02-21-2006 08:20 AM

Dear Patrick,

My apologies if I apear thick, but it is still not clear to me.

I understand that the outside ACL applies to which host(s) can establish the tunnel.

I also understand that the VPN access-lists applies to which of the traffic originating in my Internalnet ISubnet towards the Externalnet ESubnet will be sent over the VPN tunnel REMOTE

However, how do I limit the traffic which is allowed to enter my Internalnet from the Externalnet?

Will, for example,

access-list VPN permit ip host Externalhost host Internalhost

limit the traffic which is allowed to originate from the Externalnet to only traffic coming from Externalhost and in addition only traffic going towards Internalhost?

with kind regards,

Kevin

0 Helpful

Go to solution
rszumloz
Level 1
Level 1
In response to khuysmans

‎02-21-2006 07:28 AM

access-list NETWORK permit ip 192.168.41.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list NETWORK permit ip 192.168.41.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto map covance 10 match address NETWORK

192.168.41.0 is the local network.

192.168.0.0 & 172.20.0.0 are the remote networks.

crypto map statement applies access list to VPN.

Go to solution
khuysmans
Level 1
Level 1
In response to rszumloz

‎02-21-2006 08:22 AM

Hi,

Can you provide me an example which will apply to traffic originating in for example 172.20.0.0/16 ?

regards,

Kevin

0 Helpful

Go to solution
michelcaissie
Level 1
Level 1
In response to khuysmans

‎02-21-2006 12:55 PM

IPSEC traffic is decrypted before going through the outside acl.When going through the acl, Source and Destination addresses correspond to the real IPs. So to accomplish what you want is easy , just remove the sysopt connection permit-ipsec, and modify your outside acl , using the real IPs as Source and Destination.

For example, you have a lan2lan vpn with your inside network at 10.10.10.0 /24 and a remote inside network at 172.20.0.0 /16 , and you want to give this network access to a web server at 10.10.10.33 just add a line

access-list acl_out permit tcp 172.20.0.0 255.255.0.0 host 10.10.10.33 eq 80

access-group acl_out in interface outside

acl_out will end up with a mix of public and private Source address and it's ok , the PIX don't care.

Go to solution
khuysmans
Level 1
Level 1
In response to michelcaissie

‎02-22-2006 02:01 AM

Many thanks. That is exactly what I wanted to know.

And thanks to all who helped out!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents