Solved

ASA 5505 cisco client vpn acl

Posted on 2014-04-18
12
627 Views
Last Modified: 2014-05-01
I have a cisco asa5505 which is configured to allow client vpn (ipsec) connections ... I need to lockdown the vpns to only allow connections from being allowed from certain ip ranges ... I am not sure how to apply this requirement.
0
Comment
Question by:dmfcvi
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:dinkytoy101
Comment Utility
Apply an access-list to the interface on which the VPNs connect (e.g. outside). Something like the following where the network objects are your permitted source addresses, and VPN_Ports are the IPSec ports used (omitted ESP/AH due to NAT being used) and where z.z.z.z is where the VPN is listening:

object-group network Allowed_Ranges
network-object x.x.x.x 255.255.0.0
network-object y.y.y.y 255.255.255.0

object-group service VPN_Ports
service-object udp eq 4500
service-object udp eq 500

access-list extended VPN_Allowed permit object-group VPN_Ports object-group Allowed_Ranges host z.z.z.z
access-list extended VPN_Allowed deny object-group VPN_Ports any host z.z.z.z

access-group <interface name> in

Job done.
0
 

Author Comment

by:dmfcvi
Comment Utility
VPN bypasses ACLs .... Is there a way to apply an Access List to a VPN policy
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
no sysopt connection permit-vpn
0
 

Author Comment

by:dmfcvi
Comment Utility
no sysopt connection permit-vpn  
This forces all vpn traffic to be filtered through the ACL, but I need to be able to stop UDP 500 traffic to be responded to from the outside except from specified host IPs.

We are failing our PCI compliance testing because they see UDP port 500 open - which is for 2 site-site vpns we have configured.  I need to configure so that it is locked to only certain hosts are allowed.   So from an portscan from any other IP other than hosts allowed, UDP 500 will show closed.

Maybe this makes more sense than my original question?
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Yes, I understand.

That's why I suggested that change.
0
 

Author Comment

by:dmfcvi
Comment Utility
It didnt work ....  it still tested as open after  
no sysopt connection permit-vpn

When I do
show run sysopt

It shows me it is off ...

pieces from the config  -  what am I missing?

object-group network VPN_Allowed_Ranges
 network-object x.x.x.x 255.255.255.0
 network-object y.y.y.y 255.255.255.255
object-group service VPN_Ports
 service-object udp eq 4500
 service-object udp eq isakmp

access-list outside extended permit object-group VPN_Ports object-group VPN_Allowed_Ranges host y.y.y.y
access-list outside extended deny object-group VPN_Ports any host y.y.y.y

access-group outside in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address crypto_acl_10
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key **********
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 28

Expert Comment

by:asavener
Comment Utility
Try no sysopt connection permit-ipsec
0
 

Author Comment

by:dmfcvi
Comment Utility
sysopt connection permit-ipsec
show run sysopt
no sysopt connection permit-vpn

still shows open
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
You ran no sysopt connection permit-ipsec?
0
 

Author Comment

by:dmfcvi
Comment Utility
Sorry - I did - my response back was typed wrong ....

ASA(config)# no sysopt connection ?

configure mode commands/options:
  permit-vpn          Exempt VPN traffic from access check
  preserve-vpn-flows  Preserve stateful VPN flows when the tunnel drops
  reclassify-vpn      Reclassify existing flows when VPN tunnels establish
  tcpmss              Set maximum TCP MSS limit, specify keyword minimum to
                      configure minimum TCP MSS limit. Defaults for maximum and
                      minimum limits are 1380 and 0 bytes respectively
  timewait            TCP connection undergoes TIMEWAIT state
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
Comment Utility
OK, I did some additional research.  I'd have sworn I did this for some of my customers, but apparently I've only done this on the IOS platform, not the ASA platform.

The only way to accomplish this is if you're able to filter UDP 500 using a device in front of the ASA.
0
 

Author Comment

by:dmfcvi
Comment Utility
Somebody had told me there was a way inside of the vpn profile or policy and I cant remember which or how.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now