Solved

ASA 5505 cisco client vpn acl

Posted on 2014-04-18
12
639 Views
Last Modified: 2014-05-01
I have a cisco asa5505 which is configured to allow client vpn (ipsec) connections ... I need to lockdown the vpns to only allow connections from being allowed from certain ip ranges ... I am not sure how to apply this requirement.
0
Comment
Question by:dmfcvi
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:dinkytoy101
ID: 40011218
Apply an access-list to the interface on which the VPNs connect (e.g. outside). Something like the following where the network objects are your permitted source addresses, and VPN_Ports are the IPSec ports used (omitted ESP/AH due to NAT being used) and where z.z.z.z is where the VPN is listening:

object-group network Allowed_Ranges
network-object x.x.x.x 255.255.0.0
network-object y.y.y.y 255.255.255.0

object-group service VPN_Ports
service-object udp eq 4500
service-object udp eq 500

access-list extended VPN_Allowed permit object-group VPN_Ports object-group Allowed_Ranges host z.z.z.z
access-list extended VPN_Allowed deny object-group VPN_Ports any host z.z.z.z

access-group <interface name> in

Job done.
0
 

Author Comment

by:dmfcvi
ID: 40016574
VPN bypasses ACLs .... Is there a way to apply an Access List to a VPN policy
0
 
LVL 28

Expert Comment

by:asavener
ID: 40020459
no sysopt connection permit-vpn
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:dmfcvi
ID: 40028453
no sysopt connection permit-vpn  
This forces all vpn traffic to be filtered through the ACL, but I need to be able to stop UDP 500 traffic to be responded to from the outside except from specified host IPs.

We are failing our PCI compliance testing because they see UDP port 500 open - which is for 2 site-site vpns we have configured.  I need to configure so that it is locked to only certain hosts are allowed.   So from an portscan from any other IP other than hosts allowed, UDP 500 will show closed.

Maybe this makes more sense than my original question?
0
 
LVL 28

Expert Comment

by:asavener
ID: 40028677
Yes, I understand.

That's why I suggested that change.
0
 

Author Comment

by:dmfcvi
ID: 40028695
It didnt work ....  it still tested as open after  
no sysopt connection permit-vpn

When I do
show run sysopt

It shows me it is off ...

pieces from the config  -  what am I missing?

object-group network VPN_Allowed_Ranges
 network-object x.x.x.x 255.255.255.0
 network-object y.y.y.y 255.255.255.255
object-group service VPN_Ports
 service-object udp eq 4500
 service-object udp eq isakmp

access-list outside extended permit object-group VPN_Ports object-group VPN_Allowed_Ranges host y.y.y.y
access-list outside extended deny object-group VPN_Ports any host y.y.y.y

access-group outside in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address crypto_acl_10
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key **********
0
 
LVL 28

Expert Comment

by:asavener
ID: 40028705
Try no sysopt connection permit-ipsec
0
 

Author Comment

by:dmfcvi
ID: 40028719
sysopt connection permit-ipsec
show run sysopt
no sysopt connection permit-vpn

still shows open
0
 
LVL 28

Expert Comment

by:asavener
ID: 40029261
You ran no sysopt connection permit-ipsec?
0
 

Author Comment

by:dmfcvi
ID: 40029274
Sorry - I did - my response back was typed wrong ....

ASA(config)# no sysopt connection ?

configure mode commands/options:
  permit-vpn          Exempt VPN traffic from access check
  preserve-vpn-flows  Preserve stateful VPN flows when the tunnel drops
  reclassify-vpn      Reclassify existing flows when VPN tunnels establish
  tcpmss              Set maximum TCP MSS limit, specify keyword minimum to
                      configure minimum TCP MSS limit. Defaults for maximum and
                      minimum limits are 1380 and 0 bytes respectively
  timewait            TCP connection undergoes TIMEWAIT state
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
ID: 40030027
OK, I did some additional research.  I'd have sworn I did this for some of my customers, but apparently I've only done this on the IOS platform, not the ASA platform.

The only way to accomplish this is if you're able to filter UDP 500 using a device in front of the ASA.
0
 

Author Comment

by:dmfcvi
ID: 40030796
Somebody had told me there was a way inside of the vpn profile or policy and I cant remember which or how.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco IPSec issue between 870 and Fortigate Firewall 4 77
IP Phones 5 79
quickvpn on windows 10 not working 7 424
Recommendations for router that supports BGP over ipsec 1 87
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question