Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using access rules to block certain VPN traffic help

Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.

It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?

I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?

39 REPLIES
Green

Re: Using access rules to block certain VPN traffic help

You have 2 options.

vpn-filter

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or something like this, acl on outside interface...

no sysopt connection permi-vpn

access-list vpn extended permit ip 172.19.15.0 255.255.255.0

access-list vpn extended permit ip 172.19.15.0 255.255.255.0

access-group vpn in interface outside

The rules you added before were not working because of "sysopt connection permit-ipsec". This command allows ipsec traffic to bypass interface acl's on the ASA.

New Member

Re: Using access rules to block certain VPN traffic help

Hi,

1.) So by default my ASA is allowing my ipsec traffic to ignore rules on my interfaces and just by adding "no sysopt connection permi-vpn" will mean I have to create rules for subnets/hosts as they wont have access after? I don't see ""sysopt connection permit-ipsec"" currently in my config.

2.) What does "access-group vpn in interface outside" do, is "vpn" a group I have to create?

3.) For my knowledge I take it's best practise to have this kind of setup rather than my current as it means I can control the network better, but how can I allow any internet traffic through the tunnel and back out of the outside interface?

access-list vpn extended permit ip 172.19.15.0 255.255.255.0 any eq http?

Sorry for these questions

Green

Re: Using access rules to block certain VPN traffic help

1. Yes. Try a "show run sysopt".

2. That just creates an access-list on the outside interface. "vpn" is just a name. It could very well be...

access-list ...

access-group in interface outside

3. Depends if you want that control or not. You don't need to create a rule to allow the internet traffic out the outside interface. The outside acl is only for traffic passing between interfaces, not going back out the same interface it came in on.

New Member

Re: Using access rules to block certain VPN traffic help

1. Here is my output:

ASA5520-1# sh run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt noproxyarp inside

sysopt noproxyarp DMZ1_Web_Servers

sysopt connection permit-vpn

no sysopt connection reclassify-vpn

Also what is "no sysopt radius ignore-secret" I use RADIUS for my Cisco Client VPN connections?

2.) thanks

3.) Thing is the Internet traffic will eventually have to be routed inside first then somehow backout (yet to workout how to do this) so our Websense/Surfcontrol can monitor the traffic, I take it this will create a problem with the access lists?

New Member

Re: Using access rules to block certain VPN traffic help

"no sysopt connection permi-vpn" worked. I stopped the tunnel then after the VPN came back up but couldn't connect to anything, but as soon as I started to add access rules to the outside then things started to come up.

What do you think about question 3? I will need to push Internet traffice inbound to a web filter server then back out, what sort of rule will that require?

Thanks

Green

Re: Using access rules to block certain VPN traffic help

You need to add a tunneled route.

route inside 0.0.0.0 0.0.0.0 tunneled

That should make all traffic from ipsec clients go to your webfilter first.

Hope that helps. Please rate helpful posts.

New Member

Re: Using access rules to block certain VPN traffic help

Hi there,

1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?

2.) Could I point it to a gateway router inside the network which pushes all the traffic to the ASA, that way it passes the filter server on VLAN2 (diag)? If so what router could do this? I only have a spare 877 DSL router, although if it worked I could get a 1800.

I have a simple diag of the setup attached

Green

Re: Using access rules to block certain VPN traffic help

1.) Where is the name server located?

2.) I believe when using the tunneled keyword, the route must point to a device on the same subnet as the inside interface of ASA.

New Member

Re: Using access rules to block certain VPN traffic help

Hi,

1.) My DNS servers are located on an inside on subnet 192.168.21.x the DHCP scope for the users on the VPN's point to these already and resolve names to IP's.

2.) The IP of the inside interface is 129.101.10.50/24 so would the device have to be on this subnet? And in the VLAN2 of the diag?

3.) Or can I point it to another internal subnet?

4.) This device has to be some sort of router?

If we can solve this I will be the happiest man alive.

Green

Re: Using access rules to block certain VPN traffic help

I still have hopes that this scenario can work.

"1.) I've tried to use "route inside 0.0.0.0 0.0.0.0 tunneled" before but I then get no websites resolved from the VPN, I guess it must be that the server isn't a gateway and doesn't know what to do with this traffic?"

-Are the dns servers on the same subnet as the filter? If so, it should work. If not then have you considered also adding something like this...

route inside 255.255.255.255 tunneled

New Member

Re: Using access rules to block certain VPN traffic help

I hope you can stick with me on this whie I test this, I've been stuck for weeks on this.

The DNS servers are on the 192.168.21.x subnet and the surfcontrol webfilter is on 129.101.10.x/24 subnet.

Will:

route inside 255.255.255.255 tunneled

route the traffic inbound to my DNS (which forwards to our ISP external DNS server)? This could then be sent back outbound via vlan2 then "seen" by the filter server?

Green

Re: Using access rules to block certain VPN traffic help

That's the idea but was merely a guess.

Can you post more of your ASA config and a little topology of where all these subnets are? That would be helpful. Also, what's the filter ip? Nevermind, found it on your diagram.

Let me see if I have this right.

Inside ASA - 129.101.10.50/16

Filter IP - 129.101.10.66/16

DNS Server - 192.168.21.x

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.100.52

edit: This won't work

route inside 255.255.255.255 tunneled

tunneled routes must be default routes only.

New Member

Re: Using access rules to block certain VPN traffic help

What do you need from the config it's huge, example of routes etc?

Inside ASA - 129.101.10.50/16 VLAN2

Filter IP - 129.101.10.66/16 VLAN2

DNS Server - 192.168.21.1

Router between 129.101.0.0/16 and 192.168.21.x - 129.101.10.70 - this goes into Nortel core switches which has multiple vlan/subnets like 192.168.20.x, 192.168.21.x cores do the rest.

Let me know what you need, if I need to buy a router to simplify then I can too.

New Member

Re: Using access rules to block certain VPN traffic help

Hi,

Quote

"edit: This won't work

route inside 255.255.255.255 tunneled

tunneled routes must be default routes only. "

What does this mean? Does it mean I can only do route inside 0.0.0.0 0.0.0.0 tunneled ?

Green

Re: Using access rules to block certain VPN traffic help

Yes.

New Member

Re: Using access rules to block certain VPN traffic help

Hi Acomiskey,

Back at work today to start on this. I don't seem to have a spare router to put in VLAN 2 as you suggested, which is the VLAN for the Inside interface of the ASA. I only have a Cisco 837 and an old Cisco Pix 515.

I have been allowed to buy a Cisco 1841, do you think this would be ok? If it doesn't work we have another project for it.

it only has 2 FE ports, but I guess I will only be using 1 of those ports to plug into the VALN2?

Re: Using access rules to block certain VPN traffic help

Have you tried writing an ACL on the VLAN2 to limit source VPN subnets to the destination HQ servers, on the controlling Layer 3 routing device behind your ASA?

New Member

Re: Using access rules to block certain VPN traffic help

Will I have yet.

As you may of read the Internet doesn't come "inside" and I somehow need to push the traffic inside then backout again so it's see by VLAN2.

If been looking into the Tunnel Default Gateway option:

"route inside 0.0.0.0 0.0.0.0 tunneled"

I have been told the gateway IP can only be an IP that is in the same subnet as the inside interface of the ASA, so VLAN 2.

I have ordered a Cisco 1841 to test with, but am not sure what to add to this router when I get it. I guess I could just route all the traffic to the inside ASA or our Core nortel LAN switch?

I'm open to any suggestions

Re: Using access rules to block certain VPN traffic help

Is it just for http/https traffic - or all internet traffic.

1) One idea could be to force the remote end's to use proxy settings in their internet browsers? those proxy settings would point to your websense server

2) Another idea would be to have GRE tunnels from the remote ends into the core router, the IPSEC sa would only be the two endpoint IP addresses on the tunnels (nice and easy) then you point your default route at the remote ends into the tunnels i.e.

ip route 0.0.0.0 0.0.0.0 <>

Once the traffic comes out of the tunnel it is subject to the core routers acl's and the websense server.

I do option 2 in my network, it works well for me.

New Member

Re: Using access rules to block certain VPN traffic help

I went for option 2:

But got this syslog error:

Error ASA5520-1 : Deny tcp src inside:172.19.15.11/1992 dst outside:212.58.253.75/80 by access-group "inside_access_in" [0x0, 0x0]

I then added a rule on the inside interface to allow 172.19.15.0/24 to any on tcp/http and udp/domain but then got nothing in the syslog server and no webpage displayed, is it a NAT issue now or a route back?

I added: ip route 0.0.0.0 0.0.0.0 <>

tunnel point being the gateway ip of inside core switch then is in VLAN2 - correct?

Re: Using access rules to block certain VPN traffic help

You created the GRE tunnels?

If you are using a proxy server - you should never see a packet with the source of the remote network, in the ASA if the traffic is routing over the GRE - thru trhe proxy server. You should only see http/tcp traffic with a destination of the internet with the source address of the proxy server?

I am presuming you have a default route in your core layer 3 devices pointing to your proxy server? and a default route in your proxy server pointing to your ASA?

New Member

Re: Using access rules to block certain VPN traffic help

Hi Andrew I think I have missed a lot here.

I just have a simple IPsec site-to-site VPN from a Cisco 877 to my Cisco ASA. I don't have a proxy server, just my SurfControl Webfilter server in VLAN 2. In VLAN to there is also the link to the Core LAN switches, I added the tunneled route and pointed it to that switch.

Then I noticed the deny rules appear on the ASA when I tried to get to www.bbc.co.uk from the remote network, which is the first time I have ever seen traffic appear on the ASA from this site-to-site so at first I was pleased.

Just need to know if it's going out to the website and if it's not getting back to the PC, pathping and traceroute are being unhelpful to.

Re: Using access rules to block certain VPN traffic help

OK - well I've never used the tunneld default route before, and to be honest in your explained setup I am surpised anything works!!!!

moving on - can you post the details of:-

"inside_access_in"

Please?

New Member

Re: Using access rules to block certain VPN traffic help

Sure, liet me go off and get that, in the mean time I did find this in the logs, does this show at least the response is going out to the internet?

ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)

New Member

Re: Using access rules to block certain VPN traffic help

I have this rule:

access-list inside_access_in extended permit ip 172.19.15.0 255.255.255.0 any

Re: Using access rules to block certain VPN traffic help

To be honest - I cannot see the tunnled IP route working for you, reading the below:-

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd8060b477.html

You are trying to do the whole thing in one device, can't see how that is going to work.

For instance - you posted "ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)"

Can't see why the ASA would actually route that return traffic back to the remote site and encrypt it at the same time - without nating it, not to mention by the looks of it, the ASA is confused on what to actually do with the packet.

Sorry - I am not convinced this will work. I will stand corrected, but basic routing logic defies this.

New Member

Re: Using access rules to block certain VPN traffic help

Unless this router I get can help? If I add it to that VLAN 2 and force any traffic back to the inside of the ASA to take care of as it has all the routes on there? Possibe?

The 1841 has 2 FE's I guess I would only need 1 of the ports and give it and IP that the VLAN 2 subnet is setup with, then that way I can eliminate any routing issue in the LAN where it might get lost.

Re: Using access rules to block certain VPN traffic help

Adding the extra rotuer - that is possible, but in my opionion it starts to get very complicated, to say the least.

Also in the url I posted was a policy based routing example which could help with this, no need for an extra router, as you have your core device. There is also GRE, as I said before - which would work, as I have it working in my environment.

HTH.

New Member

Re: Using access rules to block certain VPN traffic help

Sorry for the basic question what is this GRe VPN?

Currently I have 40 VPN's going through my Cisco Concentrator, but am trying to plan the move over tothe ASA's.

in an idea world what woudl be the simplist solution? What is this URL filtering option with Websense?

We use Surfcontrol which has just been bought by Websense and will be upgrading at some point?

867
Views
0
Helpful
39
Replies