Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.
It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?
I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?
You have 2 options.
Or something like this, acl on outside interface...
no sysopt connection permi-vpn
access-list vpn extended permit ip 172.19.15.0 255.255.255.0
access-list vpn extended permit ip 172.19.15.0 255.255.255.0
access-group vpn in interface outside
The rules you added before were not working because of "sysopt connection permit-ipsec". This command allows ipsec traffic to bypass interface acl's on the ASA.
1.) So by default my ASA is allowing my ipsec traffic to ignore rules on my interfaces and just by adding "no sysopt connection permi-vpn" will mean I have to create rules for subnets/hosts as they wont have access after? I don't see ""sysopt connection permit-ipsec"" currently in my config.
2.) What does "access-group vpn in interface outside" do, is "vpn" a group I have to create?
3.) For my knowledge I take it's best practise to have this kind of setup rather than my current as it means I can control the network better, but how can I allow any internet traffic through the tunnel and back out of the outside interface?
access-list vpn extended permit ip 172.19.15.0 255.255.255.0 any eq http?
Sorry for these questions
1. Yes. Try a "show run sysopt".
2. That just creates an access-list on the outside interface. "vpn" is just a name. It could very well be...
3. Depends if you want that control or not. You don't need to create a rule to allow the internet traffic out the outside interface. The outside acl is only for traffic passing between interfaces, not going back out the same interface it came in on.
1. Here is my output:
ASA5520-1# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt noproxyarp inside
sysopt noproxyarp DMZ1_Web_Servers
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
Also what is "no sysopt radius ignore-secret" I use RADIUS for my Cisco Client VPN connections?
3.) Thing is the Internet traffic will eventually have to be routed inside first then somehow backout (yet to workout how to do this) so our Websense/Surfcontrol can monitor the traffic, I take it this will create a problem with the access lists?
"no sysopt connection permi-vpn" worked. I stopped the tunnel then after the VPN came back up but couldn't connect to anything, but as soon as I started to add access rules to the outside then things started to come up.
What do you think about question 3? I will need to push Internet traffice inbound to a web filter server then back out, what sort of rule will that require?
You need to add a tunneled route.
route inside 0.0.0.0 0.0.0.0
That should make all traffic from ipsec clients go to your webfilter first.
Hope that helps. Please rate helpful posts.
1.) I've tried to use "route inside 0.0.0.0 0.0.0.0
2.) Could I point it to a gateway router inside the network which pushes all the traffic to the ASA, that way it passes the filter server on VLAN2 (diag)? If so what router could do this? I only have a spare 877 DSL router, although if it worked I could get a 1800.
I have a simple diag of the setup attached
1.) Where is the name server located?
2.) I believe when using the tunneled keyword, the route must point to a device on the same subnet as the inside interface of ASA.
1.) My DNS servers are located on an inside on subnet 192.168.21.x the DHCP scope for the users on the VPN's point to these already and resolve names to IP's.
2.) The IP of the inside interface is 188.8.131.52/24 so would the device have to be on this subnet? And in the VLAN2 of the diag?
3.) Or can I point it to another internal subnet?
4.) This device has to be some sort of router?
If we can solve this I will be the happiest man alive.
I still have hopes that this scenario can work.
"1.) I've tried to use "route inside 0.0.0.0 0.0.0.0
-Are the dns servers on the same subnet as the filter? If so, it should work. If not then have you considered also adding something like this...
I hope you can stick with me on this whie I test this, I've been stuck for weeks on this.
The DNS servers are on the 192.168.21.x subnet and the surfcontrol webfilter is on 129.101.10.x/24 subnet.
route the traffic inbound to my DNS (which forwards to our ISP external DNS server)? This could then be sent back outbound via vlan2 then "seen" by the filter server?
That's the idea but was merely a guess.
Can you post more of your ASA config and a little topology of where all these subnets are? That would be helpful. Also, what's the filter ip? Nevermind, found it on your diagram.
Let me see if I have this right.
Inside ASA - 184.108.40.206/16
Filter IP - 220.127.116.11/16
DNS Server - 192.168.21.x
Router between 18.104.22.168/16 and 192.168.21.x - 22.214.171.124
edit: This won't work
tunneled routes must be default routes only.
What do you need from the config it's huge, example of routes etc?
Inside ASA - 126.96.36.199/16 VLAN2
Filter IP - 188.8.131.52/16 VLAN2
DNS Server - 192.168.21.1
Router between 184.108.40.206/16 and 192.168.21.x - 220.127.116.11 - this goes into Nortel core switches which has multiple vlan/subnets like 192.168.20.x, 192.168.21.x cores do the rest.
Let me know what you need, if I need to buy a router to simplify then I can too.
"edit: This won't work
tunneled routes must be default routes only. "
What does this mean? Does it mean I can only do route inside 0.0.0.0 0.0.0.0
Back at work today to start on this. I don't seem to have a spare router to put in VLAN 2 as you suggested, which is the VLAN for the Inside interface of the ASA. I only have a Cisco 837 and an old Cisco Pix 515.
I have been allowed to buy a Cisco 1841, do you think this would be ok? If it doesn't work we have another project for it.
it only has 2 FE ports, but I guess I will only be using 1 of those ports to plug into the VALN2?
Have you tried writing an ACL on the VLAN2 to limit source VPN subnets to the destination HQ servers, on the controlling Layer 3 routing device behind your ASA?
Will I have yet.
As you may of read the Internet doesn't come "inside" and I somehow need to push the traffic inside then backout again so it's see by VLAN2.
If been looking into the Tunnel Default Gateway option:
"route inside 0.0.0.0 0.0.0.0
I have been told the gateway IP can only be an IP that is in the same subnet as the inside interface of the ASA, so VLAN 2.
I have ordered a Cisco 1841 to test with, but am not sure what to add to this router when I get it. I guess I could just route all the traffic to the inside ASA or our Core nortel LAN switch?
I'm open to any suggestions
Is it just for http/https traffic - or all internet traffic.
1) One idea could be to force the remote end's to use proxy settings in their internet browsers? those proxy settings would point to your websense server
2) Another idea would be to have GRE tunnels from the remote ends into the core router, the IPSEC sa would only be the two endpoint IP addresses on the tunnels (nice and easy) then you point your default route at the remote ends into the tunnels i.e.
ip route 0.0.0.0 0.0.0.0 <
Once the traffic comes out of the tunnel it is subject to the core routers acl's and the websense server.
I do option 2 in my network, it works well for me.
I went for option 2:
But got this syslog error:
Error ASA5520-1 : Deny tcp src inside:172.19.15.11/1992 dst outside:18.104.22.168/80 by access-group "inside_access_in" [0x0, 0x0]
I then added a rule on the inside interface to allow 172.19.15.0/24 to any on tcp/http and udp/domain but then got nothing in the syslog server and no webpage displayed, is it a NAT issue now or a route back?
I added: ip route 0.0.0.0 0.0.0.0 <
tunnel point being the gateway ip of inside core switch then is in VLAN2 - correct?
You created the GRE tunnels?
If you are using a proxy server - you should never see a packet with the source of the remote network, in the ASA if the traffic is routing over the GRE - thru trhe proxy server. You should only see http/tcp traffic with a destination of the internet with the source address of the proxy server?
I am presuming you have a default route in your core layer 3 devices pointing to your proxy server? and a default route in your proxy server pointing to your ASA?
Hi Andrew I think I have missed a lot here.
I just have a simple IPsec site-to-site VPN from a Cisco 877 to my Cisco ASA. I don't have a proxy server, just my SurfControl Webfilter server in VLAN 2. In VLAN to there is also the link to the Core LAN switches, I added the tunneled route and pointed it to that switch.
Then I noticed the deny rules appear on the ASA when I tried to get to www.bbc.co.uk from the remote network, which is the first time I have ever seen traffic appear on the ASA from this site-to-site so at first I was pleased.
Just need to know if it's going out to the website and if it's not getting back to the PC, pathping and traceroute are being unhelpful to.
OK - well I've never used the tunneld default route before, and to be honest in your explained setup I am surpised anything works!!!!
moving on - can you post the details of:-
Sure, liet me go off and get that, in the mean time I did find this in the logs, does this show at least the response is going out to the internet?
ASA5520-1 : Built outbound TCP connection 534450970 for outside:22.214.171.124/80 (126.96.36.199/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)
ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:188.8.131.52/80 (184.108.40.206/80)
To be honest - I cannot see the tunnled IP route working for you, reading the below:-
You are trying to do the whole thing in one device, can't see how that is going to work.
For instance - you posted "ASA5520-1 : Built outbound TCP connection 534450970 for outside:220.127.116.11/80 (18.104.22.168/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)
ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:22.214.171.124/80 (126.96.36.199/80)"
Can't see why the ASA would actually route that return traffic back to the remote site and encrypt it at the same time - without nating it, not to mention by the looks of it, the ASA is confused on what to actually do with the packet.
Sorry - I am not convinced this will work. I will stand corrected, but basic routing logic defies this.
Unless this router I get can help? If I add it to that VLAN 2 and force any traffic back to the inside of the ASA to take care of as it has all the routes on there? Possibe?
The 1841 has 2 FE's I guess I would only need 1 of the ports and give it and IP that the VLAN 2 subnet is setup with, then that way I can eliminate any routing issue in the LAN where it might get lost.
Adding the extra rotuer - that is possible, but in my opionion it starts to get very complicated, to say the least.
Also in the url I posted was a policy based routing example which could help with this, no need for an extra router, as you have your core device. There is also GRE, as I said before - which would work, as I have it working in my environment.
Sorry for the basic question what is this GRe VPN?
Currently I have 40 VPN's going through my Cisco Concentrator, but am trying to plan the move over tothe ASA's.
in an idea world what woudl be the simplist solution? What is this URL filtering option with Websense?
We use Surfcontrol which has just been bought by Websense and will be upgrading at some point?