Solved: how to restrict traffic thrue VPN Site-to-site tunnel

Erik Jacobsen · ‎11-18-2010

Hi,

I have a site-to-site tunnel, where Site 1 is the lokal site and the main site. and Site 2 is the remote site.

How do I restrict traffic from site 2, so they only can reach a few ip adresses at the lokal site.

But from the lokal site all IP's should be able to reach all ips at site 2 (remote).

a Access-list on the "inside" interface is not working, since all acl's are by-passed for interfaces for IPSEC traffic.

I have then tried to make a policy-group where I only allow traffic to specifik servers, but site 2 can still reach everything on the lokal site.

Is there anything I'm missing here?

Best regards,

Erik

apothula · ‎11-19-2010

Hi Erik,

Unfortunately, the only options we have are VPN filters which are bidirectional and disabling the sysopt feature.

If you have a core switch/router we can block traffic on that device using access lists or null routes.

Cheers,

Nash.

View solution in original post

apothula · ‎11-18-2010

Hi Erik,

By default sysopt connection permit vpn is enabled on all Cisco ASA's.

This would make the ASA not check the outside ACL for allowing/denying VPN traffic through.

If there is only a single VPN terminating on this device, or if you are willing to add all the required ACL's on the outside interface to allow/deny VPN traffic,

you can disable the sysopt feature using the command, no sysopt connection permit vpn.

You have to add ACL's in the appropriate direction to allow/deny traffic from the local site to the remote site.

Cheers,

Nash.

apothula · ‎11-18-2010

Also, be advised that VPN filters are bi-directional.

Cheers,

Nash.

Erik Jacobsen · ‎11-18-2010

Hi,

Yes the problem is they are by-passing my acl's but this I knew, so thats why I was hoping to use policy-group.

And yes removing the by-passing, would give me a issue, since I have remove vpn and other Site-to-site's

So thats why I'm looking for a alternative way.

Erik

apothula · ‎11-18-2010

Hi Erik,

The sysopt command would only bypass interface access lists, for incoming VPN traffic that gets decrypted and sent across the client/server in your network.

However, the reply traffic would still be subjected to the interface ACL checks.

So, on the inside interface of the main site in the inbound direction, add an ACL allowing traffic to the devices at the remote network you want to allow access to, deny traffic to the remote site network and allow all other traffic.

Let me know how it goes.

CHeers,

Nash.

Erik Jacobsen · ‎11-18-2010

Hi Nash,

Since everyone at the main site should be reaching everything on the remote site. then the inbound would be a bad Idea.

It is the remote site there should only be reaching 2 servers on the main site.

Best regards,

Erik Jacobsen

Rodrigo Gurriti · ‎11-18-2010

Well there is an other way that may work for you. Do nat on the VPN, for instance do nat on the main site:

Main site Exemple:

interface ethernet1
nameif outside
security-level 0
ip address 11.0.0.1 255.255.255.0
!
interface ethernet2
nameif inside
security-level 100
ip address 10.8.18.1 255.255.255.0

access-list acl_nat extended permit ip 10.8.18.0 255.255.255.0 10.8.19.0 255.255.255.0
access-list acl_vpn_matriz-crypto-match extended permit ip 192.168.2.0 255.255.255.0 10.8.19.0 255.255.255.0

global (outside) 10 192.168.2.0
nat (inside) 10 access-list acl_nat

Lets see here, 10.8.18.0 (inside) is trying to go to 10.8.19.0 (remote), it will go on the VPN but before it will nat to 192.168.2.0

This means that the other side is expection an address 192.168.2.0. I

It will work bi-direcinal,but unless the main site opens an connection, if the remote tries to open an connection will not work, if you need some hosts on the remote site to open a connection you can configure statics (i never done but i think it will work)

The function of it will be the same as a regular nat but you will be doing before the tunnel send the data

Please mark as ansered if it solves you problem

Thank you

Erik Jacobsen · ‎11-18-2010

Hi Rodrigo,

I can see where you are coming from, but complexity will rise with nattet IP's, since there is VPN clients there also should be reaching machines on the remote site.

So it look like my best bet so fare is to remove the bypass function, then I have to control the access-lists.

Best regards,

Erik

apothula · ‎11-18-2010

Hi Erik,

Then we could use that inbound ACL at the remote site.

In the inbound ACL on the inside interface of the ASA at the remote site,

line 1 permit traffic from local network to the two servers,

line 2 deny traffic from local network to the remote network at the main site,

line 3 permit traffic from local network to any (internet)

Cheers,

Nash.

Erik Jacobsen · ‎11-19-2010

Hi Nash,

thats totally correct. BUT I forgot to say, that the remote site is a None trusted site, so I don't control this site.

Thats why I want to control the traffic at the main site.

We have bought another company, so we should be able to reach everything there, but they should only be able to reach 2 servers with us.

Best regards,

Erik Jacobsen

apothula · ‎11-19-2010

Hi Erik,

Unfortunately, the only options we have are VPN filters which are bidirectional and disabling the sysopt feature.

If you have a core switch/router we can block traffic on that device using access lists or null routes.

Cheers,

Nash.

Erik Jacobsen · ‎11-25-2010

Hi,

I ended up with using a different router for the VPN, and then I could use my core switch/router to control the traffic.

Erik