• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4416
  • Last Modified:

Cisco ASA LAN 2 LAN VPN Filter blocking ALL traffic.

Hi, I've got a LAN 2 LAN VPN running between the main site (Cisco ASA) and the remote site (Linksys RVS4000) and I cannot figure out how to apply a filter to the tunnel group without killing all traffic on the tunnel. I created a simple access list on the ASA to do this:

access-list BlockRemoteLAN extended deny ip any any

I also tried a version of this where I only allowed traffic from local LAN subnet to any and everything else was implicitely denied.

What is the deal? I thought the filter applied just as a remote-access filter does!

I appreciate any help!
0
Pugglewuggle
Asked:
Pugglewuggle
  • 10
  • 7
1 Solution
 
Voltz-dkCommented:
It does work as a remote-access filter does, but maybe you mistake it for a client-firewall filter?

When you make these filters, source is remote network and destination is your local.  They are not implicitly allowing any traffic, such as the firewall-filter would, so your deny any any is expected to block everything.  (Otherwise you wouldn't have any real control.)

You can check this link out for some background info and example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
0
 
PugglewuggleAuthor Commented:
Hmm... interesting... I'm just curious about this then as well: when I have no ACL then all ports are allowed in and out from both sides. Is this normal unless a filter is applied? Also, is there a method to filter outbound (to remote VPN) traffic or is this just handled by interface ACLs? And what about the default setting that allows all incoming VPN connections to bypass interface access-lists on the ASA does this apply only to RA connections or also to L2L ones?

Thanks!
0
 
PugglewuggleAuthor Commented:
And by the bypass interface ACLs I meant:

sysopt connection permit-vpn

Thanks!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
PugglewuggleAuthor Commented:
And yet one more thing: When I did have the filter set to deny any any, I was not able to go and connect out to hosts in the remote VPN. From what I understand, this only applies to INCOMING traffic (incoming to the local ASA). So if this is the case, then why can I not communicate with host in the remote network from the local network?
0
 
PugglewuggleAuthor Commented:
Okay, I can confirm that when the filter is on, I can make no outbound connections from local network to remote network. When the filter is set to none then I can connect to remote networks and they can connec to me without restriction.

Here is the config for the L2L tunnel-group, applied group policy, and filter:
access-list DenyAll extended deny ip any any
 
group-policy BlockRemoteLAN internal
group-policy BlockRemoteLAN attributes
 vpn-filter DenyAll
 vpn-tunnel-protocol IPSec
 
tunnel-group 71.xx.xx.xx type ipsec-l2l
tunnel-group 71.xx.xx.xx general-attributes
 default-group-policy BlockRemoteLAN
tunnel-group 71.xx.xx.xx ipsec-attributes
 pre-shared-key *

Open in new window

0
 
Voltz-dkCommented:
Wow alot of posts :)

>when I have no ACL then all ports are allowed in and out from both sides. Is this normal unless a filter is applied?
It is normal when you have the sysopt mentioned, which I believe in newer software versions it is by default.  Although the sysopt doesn't affect outgoing traffic, but restrictions on such traffic are often not so severe.

>Also, is there a method to filter outbound (to remote VPN) traffic or is this just handled by interface ACLs?
The filter is bi-directional, so yes.  I'll elaborate later in the post.

>And what about the default setting that allows all incoming VPN connections to bypass interface access-lists on the ASA does this apply only to RA connections or
>also to L2L ones?
That applies to both.

>When I did have the filter set to deny any any, I was not able to go and connect out to hosts in the remote VPN. From what I understand, this only applies to
>INCOMING traffic
As mentioned above it's bi-directional.
---
deny ip any any, applied as a tunnel-filter will block all traffic - both directions.
As written in the example I posted link to previously, source is remote net and destination is local net.  You then use source ports to specify outbound traffic.

Example:
Remote net is 192.168.1.0/24, and local is 10.1.1.0/24

Suppose remote users need access to local FTP server at .10, and local users needs access to remote webserver at .20
The filter should be like this:
access-l filter permit tcp host 192.168.1.20 eq 80 10.1.1.0 255.255.255.0
access-l filter permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.10 eq 21
(implicit or optionally explicit) access-l filter deny ip any any
0
 
PugglewuggleAuthor Commented:
Alright... this is just confusing me now.

I now have the following configuration and traffic is still allowed in both directions! Shouldn't this make it so I can access any remote addresses from the local address and then deny ANYTHING else, no matter where it comes from? I have modified IP addresses to match your local/remote scheme above.

I have also made sure the VPN session was logged off and reinitiated to make sure the policy was applied to the tunnel.

Any ideas?


access-list BlockRemote extended permit ip any 10.1.1.0 255.255.255.0
access-list BlockRemote extended deny ip any any
 
group-policy BlockRemoteLAN internal
group-policy BlockRemoteLAN attributes
 vpn-filter BlockRemote
 vpn-tunnel-protocol IPSec
 
tunnel-group 71.xx.xx.xx type ipsec-l2l
tunnel-group 71.xx.xx.xx general-attributes
 default-group-policy BlockRemoteLAN
tunnel-group 71.xx.xx.xx ipsec-attributes
 pre-shared-key *

Open in new window

0
 
Voltz-dkCommented:
No, that filter will allow everything in both directions.  You can't achieve what you desire (allows all in one direction, while denying all in the other) with a VPN filter, since it's bi-directional.
If you want that you should disable the permit-vpn, and just use interface ACLs.
0
 
PugglewuggleAuthor Commented:
So what you're saying then is that a filter basically has no effect on an L2L tunnel past allowing all or denying all traffic. Is this a correct interpretation?

And do filters overrule interface ACLs for remote access connections?
0
 
Voltz-dkCommented:
No I wouldn't say that, as you saw in the example I made it was quite pinpoint access.  It's just no good for a completely asymmetric situation.

>And do filters overrule interface ACLs for remote access connections?
I've actually not really tried to combine them, but I feel pretty confident both would apply.  But I wouldn't bother with filters if I was using interface ACLs anyways.
0
 
PugglewuggleAuthor Commented:
Well that stinks. Let me just see if I can allow something piddly like echo through from the remote side and see if that doesn't kill the tunnel.

As for the filter application in such a situation, the reason I mentioned this is that we control access on broad group basis and then have specific filters for some users allowing and denying specific access. I'm pretty sure that the filter is applied first and then if it still isn't dropped the interface ACL is applied; thus making it so you can allow a user or group into a network that all inbound traffic is denied on.
0
 
PugglewuggleAuthor Commented:
Alright! So it appears that when allowing one type of traffic from one network to another network when doing an L2L VPN, the stupid filter allows this traffic in BOTH directions without asking. Great. So if I allow my local network access to all ports of webserver in the remote network (which happens to be a DMZ) then the VPN opens up ALL ports back to my local network so the remote server can then attack my local network if it is compromised! Wonderful. I suppose the only way around this is to use interface ACLs on this ASA then, isn't it?
0
 
PugglewuggleAuthor Commented:
Okay... so I just removed all filters from the L2L tunnel and killed the sysopt conn perm-v command. Now no traffic will go from the local to the remote or vice versa. Apparenly it's all or nothing.
0
 
Voltz-dkCommented:
But if it is a webserver, why do you need access to all ports?  But yes, the vpn filters are certainly limited..

Have you replaced the permit-vpn with proper interface ACLs?  This is not all or nothing, without that permit-vpn this traffic will appear just as regular interface traffic.  I've done it many times.  And aside from it looking odd with private IPs on the internet interface, it does work :)
0
 
PugglewuggleAuthor Commented:
We need to ba able to access all ports on the entire remote subnet for management. The server runs lots of services and the local network is the IT management team.

I allowed all outbound and denied all inbound on the interface ACLs... it still wouldn't allow any traffic. Any ideas?
0
 
Voltz-dkCommented:
Sounds like you got an error somewhere, but without seeing some config I don't have much of a chance.

What does your syslogs say? (use level information)
0
 
Voltz-dkCommented:
Oh ya, what software version do you run?  Does it have packet-tracer?

If so you can try,

packet input inside tcp 10.1.1.1 5000 192.168.1.20 80 det

Where you replace the IPs with local and remote.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now