asked on

Tighten VPN Tunnel

Hello all,

This is a relatively easy one.

I've already established a vpn tunnel between a company and it's client. The client has been allowed access to a resource inside the company. It works.

Now, I'm trying to tighten the noose around that tunnel's neck. I just want to allow telnet traffic from the client into the company via the tunnel. Any help would be appreciated.

You can make up generic access-lists and crypto maps. Thanks.

memo_tnt

hi

create an ACL that allow only port 23 from this tunnel

if your tunnel interface like this

interface tunnel0
ip access group 111 in
ip access group 111 in

access-list 111 permit tcp any x.x.x.x y.y.y.y eq 23 >>> x.x.x.x your company IPs and y.y.y.y your company wildcard mask

netcmh

ASKER

I'm sorry, should have mentioned. it's a pix firewall. thanks

3nerds

Is this PIX running 7.0 or newer code?

3nerds

3nerds

Either Way here is a good explanation:

https://www.experts-exchange.com/questions/23801754/Cisco-ASA-5510-VPN-Tunnel.html

If you have specific questions about the old way let me know.

Regards,

3nerds

netcmh

ASKER

PIX Version 7.0(2)

netcmh

ASKER

I may be missing something, but that links didn't help. My situation is a VPN tunnel. Please help me understand. Thanks

ChristianT

I think creating an outbound access list on your inside interface that allows telnet from your client's IP or subnet and denies all other traffic from that same IP or subnet would achieve what you are trying to accomplish. It would look something like this:

access-list inside_access_out extended permit tcp <ClientSubnet> <ClientMask> eq telnet host <TelnetServerIP>
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

Then make sure that access list is assigned to your inside interface for traffic leaving that interface:

access-group inside_access_out out interface inside

Let me know if that doesn't make sense or work

-Christian

netcmh

ASKER

Thank you. I know how to do that but am at a loss to understand how to implement that acl with a tunnel. plus it's telnet access in from the client into our dmz network's server

ASKER CERTIFIED SOLUTION

ChristianT

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

netcmh

ASKER

Wow, thanks. Could you tell me why I need:

access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

netcmh

ASKER

And, shouldn't I be using nonat or something?

netcmh

ASKER

access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

would not allow that traffic in to the inside int

but, what about the nonat commands i keep seeing everywhere

netcmh

ASKER

regarding that same access-list, do i still need it, if I have a static route in place to get those packets to go towards the dmz only?

netcmh

ASKER

ok, got all the answers to those stupid questions in your statement:

You can't filter to the port level on a tunnel, so you need to allow all traffic into your firewall across the VPN tunnel, but then filter traffic outbound from the firewall into the DMZ and any other networks using egress filters.

thanks

netcmh

ASKER

related question: when i apply these configs to the pix, and if the tunnel is already established prior to my applying these rules, will they work? Or, should I sever the link and try again?

I ask this because a buddy at the client can still ftp into the box. thanks for your help so far, ChristianT

netcmh

ASKER

It's still not working. My buddy can still ftp into the server.

I've even tried the vpn filter config at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please help

ChristianT

Could you post a copy of your running config? Please sanitize it by removing public IPs and passwords, encrypted or not?

-CT

netcmh

ASKER

Sorry, was out of town, back now. Attached is the config

Notes:

pix ios 7.0(2)
external 1.1.1.1
internal 10.10.10.10
dmz 11.11.11.11

the 12.12.12.0 network is on the DMZ side, but is not accessible to anyone other than the clients coming in over the tunnel
the 12.12.12.12 is the host that is only accessible to the clients
the 2.2.2.0 network is the client's network

3.3.3.3 is the client's external IP

VPN tunnel works. The clients can telnet, ping, and ftp into the 12.12.12.12 machine. I want to be able to lock them down to just telnet.

Thanks for all your help.

pixfirewall# sh run
: Saved
:
PIX Version 7.0(2)
:trimmed
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 11.11.11.11 255.255.255.252
!
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnet
access-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any
:trimmed
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 2.2.2.0 255.255.252.0 1.1.1.2 1
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1
:trimmed
group-policy bvftun internal
group-policy bvftun attributes
 vpn-filter value DMZ_access_out
:trimmed
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer 3.3.3.3
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote interface outside
isakmp enable outside
:trimmed
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
:trimmed
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy bvftun
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

Open in new window

ChristianT

I've snipped out the section of the config and bolded the additions you need to add. Explanations are below:
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnetaccess-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any:trimmednat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 10.10.10.0 255.255.255.0nat (inside) 0 0.0.0.0 0.0.0.0nat (dmz) 0 access-list dmz_nat0_outboundnat (dmz) 0 0.0.0.0 0.0.0.0access-group outside_access_in in interface outside
access-group DMZ_access_out out interface dmzroute outside 2.2.2.0 255.255.252.0 1.1.1.2 1route outside 0.0.0.0 0.0.0.0 1.1.1.2 1route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1

Explanation:
You need to tie the access list to an interface for the filters to be applied to traffic on that interface. The breakdown of the command is:
access-group <ACL_NAME> <Direction_of_Traffic> interface <interface>

Let me know if you need additional clarification.

netcmh

ASKER

Thank you for your help.