• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

ASA 5505 cisco client vpn acl

I have a cisco asa5505 which is configured to allow client vpn (ipsec) connections ... I need to lockdown the vpns to only allow connections from being allowed from certain ip ranges ... I am not sure how to apply this requirement.
0
dmfcvi
Asked:
dmfcvi
  • 6
  • 5
1 Solution
 
dinkytoy101Commented:
Apply an access-list to the interface on which the VPNs connect (e.g. outside). Something like the following where the network objects are your permitted source addresses, and VPN_Ports are the IPSec ports used (omitted ESP/AH due to NAT being used) and where z.z.z.z is where the VPN is listening:

object-group network Allowed_Ranges
network-object x.x.x.x 255.255.0.0
network-object y.y.y.y 255.255.255.0

object-group service VPN_Ports
service-object udp eq 4500
service-object udp eq 500

access-list extended VPN_Allowed permit object-group VPN_Ports object-group Allowed_Ranges host z.z.z.z
access-list extended VPN_Allowed deny object-group VPN_Ports any host z.z.z.z

access-group <interface name> in

Job done.
0
 
dmfcviAuthor Commented:
VPN bypasses ACLs .... Is there a way to apply an Access List to a VPN policy
0
 
asavenerCommented:
no sysopt connection permit-vpn
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
dmfcviAuthor Commented:
no sysopt connection permit-vpn  
This forces all vpn traffic to be filtered through the ACL, but I need to be able to stop UDP 500 traffic to be responded to from the outside except from specified host IPs.

We are failing our PCI compliance testing because they see UDP port 500 open - which is for 2 site-site vpns we have configured.  I need to configure so that it is locked to only certain hosts are allowed.   So from an portscan from any other IP other than hosts allowed, UDP 500 will show closed.

Maybe this makes more sense than my original question?
0
 
asavenerCommented:
Yes, I understand.

That's why I suggested that change.
0
 
dmfcviAuthor Commented:
It didnt work ....  it still tested as open after  
no sysopt connection permit-vpn

When I do
show run sysopt

It shows me it is off ...

pieces from the config  -  what am I missing?

object-group network VPN_Allowed_Ranges
 network-object x.x.x.x 255.255.255.0
 network-object y.y.y.y 255.255.255.255
object-group service VPN_Ports
 service-object udp eq 4500
 service-object udp eq isakmp

access-list outside extended permit object-group VPN_Ports object-group VPN_Allowed_Ranges host y.y.y.y
access-list outside extended deny object-group VPN_Ports any host y.y.y.y

access-group outside in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address crypto_acl_10
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key **********
0
 
asavenerCommented:
Try no sysopt connection permit-ipsec
0
 
dmfcviAuthor Commented:
sysopt connection permit-ipsec
show run sysopt
no sysopt connection permit-vpn

still shows open
0
 
asavenerCommented:
You ran no sysopt connection permit-ipsec?
0
 
dmfcviAuthor Commented:
Sorry - I did - my response back was typed wrong ....

ASA(config)# no sysopt connection ?

configure mode commands/options:
  permit-vpn          Exempt VPN traffic from access check
  preserve-vpn-flows  Preserve stateful VPN flows when the tunnel drops
  reclassify-vpn      Reclassify existing flows when VPN tunnels establish
  tcpmss              Set maximum TCP MSS limit, specify keyword minimum to
                      configure minimum TCP MSS limit. Defaults for maximum and
                      minimum limits are 1380 and 0 bytes respectively
  timewait            TCP connection undergoes TIMEWAIT state
0
 
asavenerCommented:
OK, I did some additional research.  I'd have sworn I did this for some of my customers, but apparently I've only done this on the IOS platform, not the ASA platform.

The only way to accomplish this is if you're able to filter UDP 500 using a device in front of the ASA.
0
 
dmfcviAuthor Commented:
Somebody had told me there was a way inside of the vpn profile or policy and I cant remember which or how.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now