Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Tighten VPN Tunnel

Posted on 2010-01-08
20
Medium Priority
?
437 Views
Last Modified: 2012-05-08
Hello all,

This is a relatively easy one.

I've already established a vpn tunnel between a company and it's client. The client has been allowed access to a resource inside the company. It works.

Now, I'm trying to tighten the noose around that tunnel's neck. I just want to allow telnet traffic from the client into the company via the tunnel. Any help would be appreciated.

You can make up generic access-lists and crypto maps. Thanks.
0
Comment
Question by:netcmh
  • 13
  • 4
  • 2
  • +1
20 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26212683
hi

create an ACL that allow only port 23 from this tunnel

if your tunnel interface like this

interface tunnel0
ip access group 111 in
ip access group 111 in

access-list 111 permit tcp any x.x.x.x y.y.y.y eq 23  >>> x.x.x.x your company IPs and y.y.y.y your company wildcard mask


0
 
LVL 21

Author Comment

by:netcmh
ID: 26212694
I'm sorry, should have mentioned. it's a pix firewall. thanks
0
 
LVL 13

Expert Comment

by:3nerds
ID: 26212806
Is this PIX running 7.0 or newer code?

3nerds
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
LVL 13

Expert Comment

by:3nerds
ID: 26212821
Either Way here is a good explanation:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23801754.html

If you have specific questions about the old way let me know.

Regards,

3nerds
0
 
LVL 21

Author Comment

by:netcmh
ID: 26212851
PIX Version 7.0(2)
0
 
LVL 21

Author Comment

by:netcmh
ID: 26212876
I may be missing something, but that links didn't help. My situation is a VPN tunnel. Please help me understand. Thanks
0
 
LVL 3

Expert Comment

by:ChristianT
ID: 26213141
I think creating an outbound access list on your inside interface that allows telnet from your client's IP or subnet and denies all other traffic from that same IP or subnet would achieve what you are trying to accomplish. It would look something like this:

access-list inside_access_out extended permit tcp <ClientSubnet> <ClientMask> eq telnet host <TelnetServerIP>
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

Then make sure that access list is assigned to your inside interface for traffic leaving that interface:

access-group inside_access_out out interface inside

Let me know if that doesn't make sense or work

-Christian
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213156
Thank you. I know how to do that but am at a loss to understand how to implement that acl with a tunnel. plus it's telnet access in from the client into our dmz network's server
0
 
LVL 3

Accepted Solution

by:
ChristianT earned 2000 total points
ID: 26213520
You can't filter to the port level on a tunnel, so you need to allow all traffic into your firewall across the VPN tunnel, but then filter traffic outbound from the firewall into the DMZ and any other networks using egress filters.

I've attached a diagram that helped me to understand how this works.  the Black Line represents the traffic  coming across the VPN.

In your case you will need rules like this:
access-list DMZ_access_out extended permit tcp <ClientSubnet> <ClientMask> eq telnet host <TelnetServerIP>
access-list DMZ_access_out extended deny ip <ClientSubnet> <ClientMask> any
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

and apply them to your interfaces like:
access-group inside_access_out out interface inside
access-group DMZ_access_out out interface DMZ
Firewall-Filter-Diagram.jpg
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213558
Wow, thanks. Could you tell me why I need:

access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213605
And, shouldn't I be using nonat or something?
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213659
access-list inside_access_out extended deny ip <ClientSubnet> <ClientMask> any

would not allow that traffic in to the inside int

but, what about the nonat commands i keep seeing everywhere
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213670
regarding that same access-list, do i still need it, if I have a static route in place to get those packets to go towards the dmz only?
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213682
ok, got all the answers to those stupid questions in your statement:

You can't filter to the port level on a tunnel, so you need to allow all traffic into your firewall across the VPN tunnel, but then filter traffic outbound from the firewall into the DMZ and any other networks using egress filters.

thanks
0
 
LVL 21

Author Comment

by:netcmh
ID: 26213799
related question: when i apply these configs to the pix, and if the tunnel is already established prior to my applying these rules, will they work? Or, should I sever the link and try again?

I ask this because a buddy at the client can still ftp into the box. thanks for your help so far, ChristianT
0
 
LVL 21

Author Comment

by:netcmh
ID: 26214247
It's still not working. My buddy can still ftp into the server.

I've even tried the vpn filter config at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please help
0
 
LVL 3

Expert Comment

by:ChristianT
ID: 26275208
Could you post a copy of your running config?  Please sanitize it by removing public IPs and passwords, encrypted or not?

-CT
0
 
LVL 21

Author Comment

by:netcmh
ID: 26295926
Sorry, was out of town, back now. Attached is the config

Notes:

pix ios 7.0(2)
external 1.1.1.1
internal 10.10.10.10
dmz 11.11.11.11

the 12.12.12.0 network is on the DMZ side, but is not accessible to anyone other than the clients coming in over the tunnel
the 12.12.12.12 is the host that is only accessible to the clients
the 2.2.2.0 network is the client's network

3.3.3.3 is the client's external IP

VPN tunnel works. The clients can telnet, ping, and ftp into the 12.12.12.12 machine. I want to be able to lock them down to just telnet.

Thanks for all your help.


pixfirewall# sh run
: Saved
:
PIX Version 7.0(2)
:trimmed
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 11.11.11.11 255.255.255.252
!
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0
access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnet
access-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any
:trimmed
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 2.2.2.0 255.255.252.0 1.1.1.2 1
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1
:trimmed
group-policy bvftun internal
group-policy bvftun attributes
 vpn-filter value DMZ_access_out
:trimmed
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer 3.3.3.3
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote interface outside
isakmp enable outside
:trimmed
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
:trimmed
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy bvftun
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

Open in new window

0
 
LVL 3

Expert Comment

by:ChristianT
ID: 26318100
I've snipped out the section of the config and bolded the additions you need to add.  Explanations are below:
:trimmed
access-list outside_cryptomap_20 extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list dmz_nat0_outbound extended permit ip 12.12.12.0 255.255.255.240 2.2.2.0 255.255.252.0access-list DMZ_access_out extended permit tcp 2.2.2.0 255.255.252.0 host 12.12.12.12 eq telnetaccess-list DMZ_access_out extended deny ip 2.2.2.0 255.255.252.0 any:trimmednat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 10.10.10.0 255.255.255.0nat (inside) 0 0.0.0.0 0.0.0.0nat (dmz) 0 access-list dmz_nat0_outboundnat (dmz) 0 0.0.0.0 0.0.0.0access-group outside_access_in in interface outside
access-group DMZ_access_out out interface dmzroute outside 2.2.2.0 255.255.252.0 1.1.1.2 1route outside 0.0.0.0 0.0.0.0 1.1.1.2 1route dmz 12.12.12.0 255.255.255.240 11.11.11.12 1

Explanation:
You need to tie the access list to an interface for the filters to be applied to traffic on that interface.  The breakdown of the command is:
access-group <ACL_NAME> <Direction_of_Traffic> interface <interface>

Let me know if you need additional clarification.
0
 
LVL 21

Author Closing Comment

by:netcmh
ID: 31674714
Thank you for your help.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question