Solved

ASA 5505 cisco client vpn acl

Posted on 2014-04-18
12
633 Views
Last Modified: 2014-05-01
I have a cisco asa5505 which is configured to allow client vpn (ipsec) connections ... I need to lockdown the vpns to only allow connections from being allowed from certain ip ranges ... I am not sure how to apply this requirement.
0
Comment
Question by:dmfcvi
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:dinkytoy101
ID: 40011218
Apply an access-list to the interface on which the VPNs connect (e.g. outside). Something like the following where the network objects are your permitted source addresses, and VPN_Ports are the IPSec ports used (omitted ESP/AH due to NAT being used) and where z.z.z.z is where the VPN is listening:

object-group network Allowed_Ranges
network-object x.x.x.x 255.255.0.0
network-object y.y.y.y 255.255.255.0

object-group service VPN_Ports
service-object udp eq 4500
service-object udp eq 500

access-list extended VPN_Allowed permit object-group VPN_Ports object-group Allowed_Ranges host z.z.z.z
access-list extended VPN_Allowed deny object-group VPN_Ports any host z.z.z.z

access-group <interface name> in

Job done.
0
 

Author Comment

by:dmfcvi
ID: 40016574
VPN bypasses ACLs .... Is there a way to apply an Access List to a VPN policy
0
 
LVL 28

Expert Comment

by:asavener
ID: 40020459
no sysopt connection permit-vpn
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 

Author Comment

by:dmfcvi
ID: 40028453
no sysopt connection permit-vpn  
This forces all vpn traffic to be filtered through the ACL, but I need to be able to stop UDP 500 traffic to be responded to from the outside except from specified host IPs.

We are failing our PCI compliance testing because they see UDP port 500 open - which is for 2 site-site vpns we have configured.  I need to configure so that it is locked to only certain hosts are allowed.   So from an portscan from any other IP other than hosts allowed, UDP 500 will show closed.

Maybe this makes more sense than my original question?
0
 
LVL 28

Expert Comment

by:asavener
ID: 40028677
Yes, I understand.

That's why I suggested that change.
0
 

Author Comment

by:dmfcvi
ID: 40028695
It didnt work ....  it still tested as open after  
no sysopt connection permit-vpn

When I do
show run sysopt

It shows me it is off ...

pieces from the config  -  what am I missing?

object-group network VPN_Allowed_Ranges
 network-object x.x.x.x 255.255.255.0
 network-object y.y.y.y 255.255.255.255
object-group service VPN_Ports
 service-object udp eq 4500
 service-object udp eq isakmp

access-list outside extended permit object-group VPN_Ports object-group VPN_Allowed_Ranges host y.y.y.y
access-list outside extended deny object-group VPN_Ports any host y.y.y.y

access-group outside in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address crypto_acl_10
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key **********
0
 
LVL 28

Expert Comment

by:asavener
ID: 40028705
Try no sysopt connection permit-ipsec
0
 

Author Comment

by:dmfcvi
ID: 40028719
sysopt connection permit-ipsec
show run sysopt
no sysopt connection permit-vpn

still shows open
0
 
LVL 28

Expert Comment

by:asavener
ID: 40029261
You ran no sysopt connection permit-ipsec?
0
 

Author Comment

by:dmfcvi
ID: 40029274
Sorry - I did - my response back was typed wrong ....

ASA(config)# no sysopt connection ?

configure mode commands/options:
  permit-vpn          Exempt VPN traffic from access check
  preserve-vpn-flows  Preserve stateful VPN flows when the tunnel drops
  reclassify-vpn      Reclassify existing flows when VPN tunnels establish
  tcpmss              Set maximum TCP MSS limit, specify keyword minimum to
                      configure minimum TCP MSS limit. Defaults for maximum and
                      minimum limits are 1380 and 0 bytes respectively
  timewait            TCP connection undergoes TIMEWAIT state
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
ID: 40030027
OK, I did some additional research.  I'd have sworn I did this for some of my customers, but apparently I've only done this on the IOS platform, not the ASA platform.

The only way to accomplish this is if you're able to filter UDP 500 using a device in front of the ASA.
0
 

Author Comment

by:dmfcvi
ID: 40030796
Somebody had told me there was a way inside of the vpn profile or policy and I cant remember which or how.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now