Link to home
Start Free TrialLog in
Avatar of aspaeth
aspaethFlag for United States of America

asked on

How to Restrict Site-to-Site VPN on ASA 5505

I've added a Site-to-Site VPN on our Cisco ASA 5505 running 8.2(5).  We're using only two interfaces/VLANs: outside & inside.  The ASA is on the Base License.

At the moment, any host on either private network can use the VPN to access any host on the other private network.

What's the best way to restrict the VPN so that only selected hosts on each network can use the VPN?  I know this'll involve an ACL and object-group, but am not sure which ACL this should be:

A) The ACL used with NAT 0 Exclusion to say which traffic should & shouldn't be NATed?

B) The ACL used with crypto map?

C) Both of the above?

D) As part of the incoming ACL on the outside interface?  (I wouldn't think this would help as we need to filter based on internal, private IP addresses - not based on the public IP address of the other endpoint of the VPN.)

E) As an ACL on the inside interface (incoming and/or outgoing)?  We don't currently have any ACLs on the inside interface.

F) As part of a group policy?  We currently only have the default group policy.


Also, would I need to use "no sysopt connection permit-vpn" so the VPN would pay attention to this ACL?
SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of aspaeth

ASKER

If I went with ACLs on the inside interface, would I want an ACL for inbound traffic, for outbound traffic, or for both?

(For what it's worth, the other side is a WatchGuard, not an ASA, that isn't under my control.)
OK, then you need an inside_interface_out access list and an inside_interface_in access list.
Avatar of aspaeth

ASKER

Since we don't yet have any ACLs on the inside interface, I understand that we'll want ACEs for the outbound inside_interface_out ACL as follows:

1) ... permit ip object-group my_selected_hosts_over_VPN object-group selected_remote_hosts_over_VPN

2) ... deny ip object-group my_private_network object-group remote_private_network_over_VPN

Any other outbound traffic that doesn't match 1 or 2 is automatically permitted as the traffic is flowing from higher security to lower security.


What I'm not sure of is what the effects would be of putting an inbound inside_interface_in ACL on the inside interface.  

Would having this ACL block return traffic to inside hosts?  Would I need to have an ACE allowing traffic to any internal hosts already made publicly accessible via Static and the outside_interface_in ACL?  Or would I just need to do an inbound version of the above ending with a permit ip any any?
Actually, once you assign an access-list to an interface, all traffic that is not permitted by the list will be denied.

If you want all other traffic permitted, then you need to add an permit any any statement.
I haven't had to create many outbound access lists on ASAs, so I think you'll just need to test what works.
Avatar of aspaeth

ASKER

Thanks very much.

A new complication is that the admin of the other side of the tunnel says he's been told by his firewall maker WatchGuard that the way to restrict the hosts that can send/receive over the VPN is to change the tunnel itself to support a host range rather than entire networks - not using an ACL on the inside interface as you've suggested.

WatchGuard warns that "any mismatches in the tunnel routes between the devices will cause the tunnel to fail" - that both devices need to have matching allowed hosts for the tunnel for it to work.

So unfortunately it sounds like I need to explore how to modify the tunnel itself rather than using ACLs on the inside interface as you'd suggested.

Modifying the crypto access-list (option B in my question) sounds the most straightforward - but presumably only restricts outbound traffic.

The other alternative I've found is using an access-list associated with a group policy that's associated with the tunnel group (option F in my question).  I've found a Cisco document on this method at www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Suggestions?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of aspaeth

ASKER

It worked great to use the crypto ACL to restrict the tunnel to be just from certain local hosts to certain remote hosts (and thus vice versa).

I learned a number of limitations of the WatchGuard in the process - and that it and Cisco mean different things by the same words in some places and use different words for the same things in others.

For example, while the ASA 5505 can use object-groups consisting of any arbitrary list of host IP addresses in ACLs like the crypto map ACL, the WatchGuard could only do  contiguous ranges of addresses for the VPN unless you wanted an entire LAN to entire LAN VPN.

Thanks asavener, you were a big help.