Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

block access on a site to site vpn

I have a site to site VPN (between two ASA's)which works just fine, however we want to have control on:

1) the ability for bring up the VPN tunnel if only one site initiates traffic. If that site does not initiate traffic the tunnel should not come up

2) the ability for one site to access resources from the other site but not vice versa.

Any ideas?

23 REPLIES
Bronze

Re: block access on a site to site vpn

To make the vpn to come up only when one site is initiating traffic you will need to configure crypto ACL accordingly. The ability to make only one site to access resources from the other can also be configured by applying proper filters. Following links may help you

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080656460.html

New Member

Re: block access on a site to site vpn

I'm trying to accomplish the same thing as ronshuster, but have not had any success. I didn't see much about VPN filters from the links above. There was some information on VPN filters here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

But I'm still not able to create the desired effect. The bi-directional explanation on that page is confusing. What I would like to be able to do is something like this:

access-list 100 extended permit ip

access-list 100 extended deny ip

And then apply that acl as a VPN filter to my site-to-site VPN connection. The link about talks about the remote subnet always being specified first with doing VPN filter acls, so I'm not sure that the above example is valid. When I try to do the above, traffic seems to be blocked in both directions.

To reiterate the desired setup:

Site-to-site VPN connection between my office and a client site. The connection should allow traffic to flow freely from everyone on my office subnet to the client subnet. But traffic should be blocked in the reverse direction (client subnet -> my subnet should not be allowed). Is this possible with VPN filter ACls? If so, can someone provide an example?

New Member

Re: block access on a site to site vpn

HI Matthew,

This is what you need to add on the side that will initiate traffic:

ciscoasa(config)# crypto map outside_map 2 set connection-type originate-only

The set connection-type originate-only is to be applied on the side who

wants to originate the traffic no further commands need to be added on the

houston.

I am yet to find the answer to the other point, pls let me know if you figure it out.

Green

Re: block access on a site to site vpn

You have two options on restricting the traffic.

1. remove sysopt connection permit-ipsec or sysopt connection permit-vpn depending upon version. Then write the access in your regular interface acl's.

2. Apply a vpn-filter to the group policy of the tunnel-group. This doc explains how to do it for a remote access vpn but it is the same for lan to lan.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

New Member

Re: block access on a site to site vpn

I would rather not do option 1, as it would complicate rule setups for other VPN connections in my configuration (and increase the likelihood that I mess something up and expose a security hole).

I can follow the examples for dial-up/remote access VPN connections, but nothing translates into a working configuration for my site-to-site VPN. First, there are no examples given of any deny rules; all the examples in that doc are:

access-list xyz permit ip any

When dial-up users are connected to my vpn, I can ping their pool IP from my internal subnet. So the analogy of what I'm trying to accomplish with site-to-site would be: allow dial-up users full access to the internal subnet, but prevent the internal subnet from being able to access the dial-up user. I've yet to see an example demonstrating this.

When I try:

access-list xyz permit ip

access-list xyz deny ip

and apply those rules as a vpn-filter to the group policy of the tunnel group for my site-to-site VPN, it ends up blocking traffic in both directions. Without those policies, I've tested the VPN connection and it works fine in both directions (client -> me, me -> client). But as soon as I try to block the client -> me traffic, it also kills traffic going the other direction. I'd love to see an actual working example of this.

Green

Re: block access on a site to site vpn

Yes, option 1 is uglier. I believe the vpn-filter acl is applied into the outside interface. So in your case it would not help. I thought you were trying to limit the access from the vpn client, but you actually want to limit the access to the vpn client. It also doesn't help to put the 2 acl's you tried because the internal subnet would never be the source since it is applied into the outside interface.

The easiest way to do that would be to create an acl applied into your inside interface.

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

New Member

Re: block access on a site to site vpn

You can create a dynamic map on the side that you do not want to initiate traffic from. The other side will then be able to kick off the tunnel, while the dynamic side cannot. Coupled with the filter, you should be all set.

New Member

Re: block access on a site to site vpn

Unfortunately, there isn't a cisco router/firewall on my client side, so my options are limited there.

I think there was some confusion in the previous post also. I am trying to limit access FROM the VPN client - in other words, no one at my client side should be allowed to access my network. Access TO my client site from my network should be allowed across the VPN.

The whole idea is to have a one-way VPN connection to my client site, so I can freely access things at my client site from my office, but the reverse is not allowed.

The idea for the inside policy rule seemed intriguing, but it didn't seem to work. As soon as I put it in place, traffic in both directions was blocked again. I tried the rule the other way too (because it seemed backward to me), but that caused traffic to be blocked in both directions also:

access-list inside extended deny ip any

access-list inside permit ip any any

access-group inside in interface inside

New Member

Re: block access on a site to site vpn

Ok, I think I found a potential solution, but I'm not 100% pleased with it...

I went back to the original/normal site-to-site VPN where both sides could freely access each other (client->me and me->client traffic both work). This is pretty much the standard site-to-site VPN shown in examples. The suggestion of adding this rule on my end:

access-list inside extended deny ip any

blocks things in the wrong direction (kills my access to the client). Instead, I created a similar rule *on my client's* firewall. Now there's isn't a cisco, but the rule is equivalent to:

access-list inside extended deny ip any

Now, from my internal subnet, I can still freely access the client subnet (me->client traffic). But the rule on their side prevents them from accessing me (client->me is blocked by their firewall).

The downside to this approach is that I have to trust them to keep that rule in place. If they decide they want to access my network over the VPN, they can simply disable that rule without my knowledge.

So ideally, I would still love it if there was a way to enforce the one-way VPN traffic restriction on my end. I think we've been getting close to a good solution with this thread... we just haven't hit it yet. Keep the suggestions coming!

New Member

Re: block access on a site to site vpn

Anyone found a proper solution for this issue ?

New Member

Re: block access on a site to site vpn

It seems that when i apply vpn filters to allow to everything from the client side applies correctly. But i cannot access client side from my lan at all.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

New Member

Re: block access on a site to site vpn

anyone ?

New Member

Re: block access on a site to site vpn

I am yet to find an answer to my original question, that is: my site to site VPN is working, however all devices on one side can access all devices on the other and vice versa.

I have an object-group defined with all the private networks on each end, ie

access-list TUNNEL1 extended permit ip object-group INSIDE_NETWORK object-group OUTSIDE_NETWORK

crypto map outside_map 2 match address TUNNEL1

Now that it is fully open (and working), I need to restrict specific segments (in the object-groups) from accessing specific segments on the other side of the tunnel.

How is this done?

New Member

Re: block access on a site to site vpn

join the club ...

Green

Re: block access on a site to site vpn

Posted this before, but maybe it didnt work out. Use the vpn-filter option to filter the traffic.

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq xxx

etc.

New Member

Re: block access on a site to site vpn

As i wrote above.The filter works.But you cannot access remote vpn subnet from the local subnet.

I keep receiving this error :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Green

Re: block access on a site to site vpn

Sorry, there are a lot of posts to try to keep straight.

New Member

Re: block access on a site to site vpn

No problem, any new thoughts, solutions ?

Green

Re: block access on a site to site vpn

Those are really your only 2 options. Has the other guy in this thread tried the vpn-filter? I have used it before on a l2l tunnel and worked ok.

New Member

Re: block access on a site to site vpn

I have tried vpn filter in L2L setup.

Although cisco claims that the filter works bidirectional it works only from the client side.The only thing that works biderectional is the icmp.

When i apply the vpn filter from my lan i cannot connect to the client side in any port.

This is the error i get every time i try to connect :

2 Jan 26 2008 17:18:58 106001 192.168.1.2 172.16.10.13 Inbound TCP connection denied from 192.168.1.2/2824 to 172.16.10.13/3389 flags SYN on interface internal

Where 172.16.10.0 is my lan and 192.168.1.0 is clients lan.

New Member

Re: block access on a site to site vpn

Well i think i have found the solution to filter client side on the asa not exactly as i would like to, but hey, it's a step.

Vpn filtering works in L2L,to see it working make sure that you don't have PFS enable ..........

Every rule that you create works bidirectional, remember that.

New Member

Re: block access on a site to site vpn

Iam joining the club!

What means Bidirectional? Does it mean

Remotesite can reply with ACKs? or Does its mean Remotesite can create SYNs when localsite is able, thats not a solution....

New Member

Re: block access on a site to site vpn

Hi guys, hope not too late to join the club :) Here are my thought:

1 vpn-filter

As Cisco said," If TCP/UDP ports are not used with the access list, both sides can access each other", so I wrote the followed vpn-filter access-list, which can control traffic from remote site but allow all traffic to remote

group-policy attributes

vpn-filter value vpnfilter

access-list vpnfilter extended permit tcp eq # allow remote can access local specific tcp resource #

access-list vpnfilter extended permit udp eq # allow remote can access local specific udp resource #

access-list vpnfilter extended deny tcp any any # deny tcp traffic from remote to local #

access-list vpnfilter extended deny udp any any # deny udp traffic from remote to local #

access-list vpnfilter extended permit ip # allow local can access remote any resource, traffic originated from remote will never hit this access-list, they denied by above two ACLs#

If you want to deny all traffic from remote but allow all to remote, you can use followed vpn-filter access-list OR the second method

access-list vpnfilter extended deny tcp any any

access-list vpnfilter extended deny udp any any

access-list vpnfilter extended permit ip

2 outbound access-list on inside interface

access-list inside_access_out deny ip

access-list inside_access_out permit ip any any

access-group inside_access_out inside out

All codes not been verified, anyone could test it , please post the result, thanks.

HTH

187
Views
0
Helpful
23
Replies