netcmh
asked on
Tighten VPN Tunnel
Hello all,
This is a relatively easy one.
I've already established a vpn tunnel between a company and it's client. The client has been allowed access to a resource inside the company. It works.
Now, I'm trying to tighten the noose around that tunnel's neck. I just want to allow telnet traffic from the client into the company via the tunnel. Any help would be appreciated.
You can make up generic access-lists and crypto maps. Thanks.
This is a relatively easy one.
I've already established a vpn tunnel between a company and it's client. The client has been allowed access to a resource inside the company. It works.
Now, I'm trying to tighten the noose around that tunnel's neck. I just want to allow telnet traffic from the client into the company via the tunnel. Any help would be appreciated.
You can make up generic access-lists and crypto maps. Thanks.
ASKER
I'm sorry, should have mentioned. it's a pix firewall. thanks
Is this PIX running 7.0 or newer code?
3nerds
3nerds
Either Way here is a good explanation:
https://www.experts-exchange.com/questions/23801754/Cisco-ASA-5510-VPN-Tunnel.html
If you have specific questions about the old way let me know.
Regards,
3nerds
https://www.experts-exchange.com/questions/23801754/Cisco-ASA-5510-VPN-Tunnel.html
If you have specific questions about the old way let me know.
Regards,
3nerds
ASKER
PIX Version 7.0(2)
ASKER
I may be missing something, but that links didn't help. My situation is a VPN tunnel. Please help me understand. Thanks
I think creating an outbound access list on your inside interface that allows telnet from your client's IP or subnet and denies all other traffic from that same IP or subnet would achieve what you are trying to accomplish. It would look something like this:
access-list inside_access_out extended permit tcp <ClientSubnet> <ClientMask> eq telnet host <TelnetServerIP>
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
Then make sure that access list is assigned to your inside interface for traffic leaving that interface:
access-group inside_access_out out interface inside
Let me know if that doesn't make sense or work
-Christian
access-list inside_access_out extended permit tcp <ClientSubnet> <ClientMask> eq telnet host <TelnetServerIP>
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
Then make sure that access list is assigned to your inside interface for traffic leaving that interface:
access-group inside_access_out out interface inside
Let me know if that doesn't make sense or work
-Christian
ASKER
Thank you. I know how to do that but am at a loss to understand how to implement that acl with a tunnel. plus it's telnet access in from the client into our dmz network's server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow, thanks. Could you tell me why I need:
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
ASKER
And, shouldn't I be using nonat or something?
ASKER
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
would not allow that traffic in to the inside int
but, what about the nonat commands i keep seeing everywhere
would not allow that traffic in to the inside int
but, what about the nonat commands i keep seeing everywhere
ASKER
regarding that same access-list, do i still need it, if I have a static route in place to get those packets to go towards the dmz only?
ASKER
ok, got all the answers to those stupid questions in your statement:
You can't filter to the port level on a tunnel, so you need to allow all traffic into your firewall across the VPN tunnel, but then filter traffic outbound from the firewall into the DMZ and any other networks using egress filters.
thanks
You can't filter to the port level on a tunnel, so you need to allow all traffic into your firewall across the VPN tunnel, but then filter traffic outbound from the firewall into the DMZ and any other networks using egress filters.
thanks
ASKER
related question: when i apply these configs to the pix, and if the tunnel is already established prior to my applying these rules, will they work? Or, should I sever the link and try again?
I ask this because a buddy at the client can still ftp into the box. thanks for your help so far, ChristianT
I ask this because a buddy at the client can still ftp into the box. thanks for your help so far, ChristianT
ASKER
It's still not working. My buddy can still ftp into the server.
I've even tried the vpn filter config at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Please help
I've even tried the vpn filter config at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Please help
Could you post a copy of your running config? Please sanitize it by removing public IPs and passwords, encrypted or not?
-CT
-CT
ASKER
Sorry, was out of town, back now. Attached is the config
Notes:
pix ios 7.0(2)
external 1.1.1.1
internal 10.10.10.10
dmz 11.11.11.11
the 12.12.12.0 network is on the DMZ side, but is not accessible to anyone other than the clients coming in over the tunnel
the 12.12.12.12 is the host that is only accessible to the clients
the 2.2.2.0 network is the client's network
3.3.3.3 is the client's external IP
VPN tunnel works. The clients can telnet, ping, and ftp into the 12.12.12.12 machine. I want to be able to lock them down to just telnet.
Thanks for all your help.
Notes:
pix ios 7.0(2)
external 1.1.1.1
internal 10.10.10.10
dmz 11.11.11.11
the 12.12.12.0 network is on the DMZ side, but is not accessible to anyone other than the clients coming in over the tunnel
the 12.12.12.12 is the host that is only accessible to the clients
the 2.2.2.0 network is the client's network
3.3.3.3 is the client's external IP
VPN tunnel works. The clients can telnet, ping, and ftp into the 12.12.12.12 machine. I want to be able to lock them down to just telnet.
Thanks for all your help.
pixfirewall# sh run
: Saved
:
PIX Version 7.0(2)
:trimmed
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 11.11.11.11 255.255.255.252
!
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnet
access-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any
:trimmed
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 2.2.2.0 255.255.252.0 1.1.1.2 1
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1
:trimmed
group-policy bvftun internal
group-policy bvftun attributes
vpn-filter value DMZ_access_out
:trimmed
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer 3.3.3.3
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote interface outside
isakmp enable outside
:trimmed
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
:trimmed
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy bvftun
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
I've snipped out the section of the config and bolded the additions you need to add. Explanations are below:
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnetaccess-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any:trimmednat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 10.10.10.0 255.255.255.0nat (inside) 0 0.0.0.0 0.0.0.0nat (dmz) 0 access-list dmz_nat0_outboundnat (dmz) 0 0.0.0.0 0.0.0.0access-group outside_access_in in interface outside
access-group DMZ_access_out out interface dmzroute outside 2.2.2.0 255.255.252.0 1.1.1.2 1route outside 0.0.0.0 0.0.0.0 1.1.1.2 1route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1
Explanation:
You need to tie the access list to an interface for the filters to be applied to traffic on that interface. The breakdown of the command is:
access-group <ACL_NAME> <Direction_of_Traffic> interface <interface>
Let me know if you need additional clarification.
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnetaccess-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any:trimmednat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 10.10.10.0 255.255.255.0nat (inside) 0 0.0.0.0 0.0.0.0nat (dmz) 0 access-list dmz_nat0_outboundnat (dmz) 0 0.0.0.0 0.0.0.0access-group outside_access_in in interface outside
access-group DMZ_access_out out interface dmzroute outside 2.2.2.0 255.255.252.0 1.1.1.2 1route outside 0.0.0.0 0.0.0.0 1.1.1.2 1route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1
Explanation:
You need to tie the access list to an interface for the filters to be applied to traffic on that interface. The breakdown of the command is:
access-group <ACL_NAME> <Direction_of_Traffic> interface <interface>
Let me know if you need additional clarification.
ASKER
Thank you for your help.
create an ACL that allow only port 23 from this tunnel
if your tunnel interface like this
interface tunnel0
ip access group 111 in
ip access group 111 in
access-list 111 permit tcp any x.x.x.x y.y.y.y eq 23 >>> x.x.x.x your company IPs and y.y.y.y your company wildcard mask