Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
4
Replies

VPN filtering and access from local to remote site

Go to solution
Tomasz Mowinski
Level 1
Level 1

‎03-22-2012 04:08 AM

Hi

I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.

But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic?

ASA 5520 8.4(3)

thank you in advance

Tomasz Mowinski

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Tomasz Mowinski

‎03-27-2012 06:07 AM

Hi,

Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host

local network: 10.10.10.0/24

remote host: 192.168.10.10/32

The ACL filter rule would be the following:

access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0

I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.

I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.

We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.

Please rate if you found any of the info helpfull

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-26-2012 08:28 AM

Hi,

Thats a good question.

I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.

The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL

The Configuration command (8.2) is the following:

sysopt connection permit-vpn 

 For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command  in global configuration mode to allow the traffic to bypass interface  access lists. Group policy and per-user authorization access lists still  apply to the traffic. To disable this feature, use the no form of this command. 
sysopt connection permit-vpn 
no sysopt connection permit-vpn

Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.

After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.

Hope this helps

- Jouni

0 Helpful

Go to solution
Tomasz Mowinski
Level 1
Level 1
In response to Jouni Forss

‎03-27-2012 04:13 AM

Hi Jouni

Thank you for the answer.

I would like to  avoid disabling sysopt connection permit-vpn. But it looks that it is  only way to manage the traffic in both directions....

But  first I will try to restrict traffic from local to remote only to  certain ports. And the question is - will this also allow traffic from  remote to local on the same ports ?

regards

Tomasz

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Tomasz Mowinski

‎03-27-2012 06:07 AM

Hi,

Well lets say you have an filter ACL rule where you allow http traffic from local network to remote host

local network: 10.10.10.0/24

remote host: 192.168.10.10/32

The ACL filter rule would be the following:

access-list FILTER-ACL permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0

I think this ACL rule would also mean that as long as the remote host was using source port of TCP/80, it could access any tcp port on any host in your local network as long as it used the source port of TCP/80.

I guess you could add some port ranges or even service object-groups to the ACL rules so that not every well known port would be accessible on the local network. But I guess that might complicate the configurations quite a bit.

We are usually handling Client and L2L VPN in totally different ASA which lets us do all the traffic filtering on another device and dont run into this kind of problems. But ofcourse there are some situations/networks where that just aint possible and it also isn't a feasible solution for some because of the costs of having an additional ASA.

Please rate if you found any of the info helpfull

- Jouni

0 Helpful

Go to solution
Tomasz Mowinski
Level 1
Level 1
In response to Jouni Forss

‎03-27-2012 06:48 AM

Thank you. So it looks that the only way is to use other device to filter the traffic.

best regards

Tomasz

0 Helpful
Customers Also Viewed These Support Documents