problem Details: Hi, we have one of our web servers compromised. The server is located in
ISP remote site. Remote site is connected to our main office with VPN tunnel. Here is
brief network diagram:
RBAnetwork(192.168.182.0)--VPNtunnel--ISPnetowk(10.5.0.x). In order to provide our main
network we disabled the VPN tunnel between two sites. We have to reconfigure the VPN
tunnel and achieve the following:
1. VPN tunnel should protect traffic between RBA and ISP sites;
2. traffic initiated from RBA to ISP must be allowed
3. all traffic (except for backup) initiated from ISP to RBA must be disabled so if the
web server gets compromised in the future, the RBA network is protected.
4. the web servers at ISP are self-contained and do not need access to RBA network. The
only type of access is when backup is performed so that type of traffic should allowed.
Pls provide with assistance with VPN
This is how I would do it...configure the vpn as normal but add the following to the ISP-ASA.
no sysopt connection permit-vpn
access-list outside_access_in extended permit ip 192.168.182.0 255.255.255.0 10.5.0.0 255.255.255.0
access-group outside_access_in in interface outside
access-list inside_access_in extended permit (allow backup traffic here from 10.5.0.x to 192.168.182.x)
access-list inside_access_in extended deny ip 10.5.0.0 255.255.255.0 192.168.182.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
Thanks for prompt responce.
Would it be possible to setup at ISP side: crypto map outside_map 1 set connection-type answer-only
and on main office side: crypto map outside_map 1 set connection-type originate-only
and achive teh same result?
Doing that would only prevent the ISP side from bring up the vpn. Once the vpn was established by RBA end, it would not prevent the ISP side from initiating traffic over the tunnel.
following ports will have to be opened for backup and management from ISP:
80, 22, 5432, 8080
NOt quite sure how to setup access-list commands. Would you be so kind to enter one line for me?
access-list no_nat0 extended permit ip 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 80
access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 22
access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 5432
access-list inside_access_in extended permit tcp 10.5.0.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 8080
or you could be even more specific if you identified the exact ip addresses which were being backed up and to where.
access-list inside_access_in extended permit tcp host 10.5.0.x host 192.168.0.x eq 80
You have a very poor design. You should have
designed your VPN in such a way that your
VPN device is placed between a firewall.
That way, after the traffics have been
decrypted, the firewall will take over the
inspection. That way, you do not have to worry
Thanks for your input but did not quite help.
The VPN device is ASA 5510 capable of performing VPN tunnel and protect the network.
I confogred ACL on inside interface facing ISP allowing only certain type of traffic to pass. Looks like the problem is solved.
thanks for all your help.