Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
5
Replies

restrict tunnel profile in ASA

m-abouelazm
Level 1
Level 1

‎10-13-2013 03:57 AM

How can I  restrict specific tunnel profile to certain ASA interface i.e when the user change the host IP to another ASA interface, he can't connect

Thanks in advance

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎10-13-2013 04:38 AM

Hi,

It seems to me that the only actual way to lock the profile/tunnel-group to a certain interface on the ASA is when the destination interface is a subinterface. In those cases you can lock the profile to a certain Vlan in the "group-policy"

Naturally even if this wasn't the case you can define the tunneled traffic in L2L VPN or Client VPN so that traffic simply wont be tunneled to the networks you don't want to.

If even the above aint an option then you can either configure a VPN Filter ACL to the connection or to the user.

You also have the option to disable a default setting on the ASA called "sysopt connection permit-vpn". If you have not changed this setting from the default then it means that traffic that enters through a VPN connection wont be matched to an interface ACL that is attached to the interface terminating the VPN connection. If you were to change the setting to "no sysopt connection permit-vpn" then ALL traffic inbound from VPN would need a ACL rule on the interface ACL. This makes it a setting that is not easily enabled when the device has been in production a long time. Mainly because you would need to allow all the traffic the existing VPN connections need allowed before changing this setting otherwise traffic might start to get blocked on all the connections.

You might also have the option to configure an outbound ACL on some local interface to block traffic coming from the VPN network you dont want to allow traffic from. This is something I have never used and also requires you to take into account that you dont block any legitimate traffic. In those ACLs you would essentially have to first block traffic from the VPN network to the networks you want to block the traffic to and then allow ALL other traffic as to not affect other connections towards the networks behind that interface.

As your question didnt really contain much background information I can't really provide an example that would suite you the best.

- Jouni

0 Helpful

m-abouelazm
Level 1
Level 1
In response to Jouni Forss

‎10-13-2013 05:40 AM

Hi Jouni

I’m talking about remote access VPN , I have two interfaces active for isakmp but I want to restrict certain tunnel connection profile to certain interface, even when  changing the host IP in the VPN profile

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to m-abouelazm

‎10-13-2013 06:02 AM

Hi,

So you are saying that you have 2 WAN interface on the ASA and you have enabled VPN use on both of them but now want to rectrict users from connecting using the other WAN link?

I have to say that I have never had to think about such a situation.

I assume that both interfaces are then used for VPN even though you dont want to allow some VPN through the other interface? Is the interface that needs restrictions to inbound VPN Client connections used for other VPN Client connections or is it just serving L2L VPN Failover when the primary WAN link fails?

I can only think of 2 solutions myself and I am not sure if they are the most clean ones.

- Jouni

0 Helpful

m-abouelazm
Level 1
Level 1
In response to Jouni Forss

‎10-13-2013 06:22 AM

Hi Jouni

yes I have two WAN interfaces enabled for VPN , one of them through internet and the other thorugh private WAN connetion , I don't want users who connect through the private WAN interface to be able to connect thorugh internet interface when they change the host IP in the VPN profile, and i'm also can't disable the VPN from the internet interface as it's used by other users

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to m-abouelazm

‎10-13-2013 11:43 AM

Hi,

Well I can't really come up with a clean solution at the moment.

I was originally thinking that if one of the interface was only used for VPN Client connections and both of the external interface were used for L2L VPN then you could have created an ACL that only controls the traffic incoming to the ASA interface (control-plane) and you could have basically allowed the L2L VPN Peer IP traffic to the other interface while blocking any connections from any other source address and this way blocked VPN Client connections to the ASA.

Other solution wouldnt really prevent the users from forming the VPN connection but would prevent them from connecting anywhere through the VPN connection.

This would require you to have this setting on

no sysopt connection permit-vpn

The default setting is "sysopt connection permit-vpn" which doesnt show in the CLI format configurations. If you were to have the above setting it would mean that any connection coming through  a VPN connection would have to be allowed in the interface ACL where the VPN connection terminates. This would have given you a chance to block the whole VPN Pool of the users from connecting anywhere on your network even though they could still connect with the VPN.

Naturally one other downside of using the above command would be that before enabling that setting you would have to make sure that you have allowed all needed traffic from any other remote/vpn network, otherwise all VPN related traffic would start to get blocked by the ASA.

I am not really sure what the solution to this would be.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents