Restrict traffic for Cisco VPN clients
Cisco, Firewalls, Forensics, Incident response, Intrusion management, Network security, Networking, TCP, VPN, Wireless
Hi all,
First some background for my question:
I have recently set up a VPN tunnel between a Cisco PIX 506E (VPN server) and remote clients. The remote clients use Cisco VPN Client software version 4.8. Everything seems to work fine. But as it is configured right now the remote clients have full access to the private network (they can log on to servers and so on). I want the remote clients only to have access to a specific application. Only one type of traffic is supposed to flow from the VPN server to the clients (for security reasons).
On the Cisco PIX there's also a site-to-site VPN tunnel set up. I have understood that the command sysopt connection permit-ipsec, permit IPSec traffic to pass through the PIX firewall without a check of access-list command statements. I guess this site-to-site tunnel needs this command.
So finally, the question:
Is it possible to just permit one type of traffic (protocol) to flow between the VPN server and the remote Cisco clients?
Regards,
Daniel
Software/Hardware used:
Software/Hardware used:
ASKED:
November 15, 2006 5:28 AM
UPDATED:
May 17, 2011 7:57 AM
Answer Wiki:
Keep in mind we are talking about two different access-lists. The first one is the inbound access-list on the outside interface. This is the one that the sysopt permit-ipsec command allows IPSec traffic to bypass. If you do not do this then you will need to ensure that any IPSec initiator on the outside is added to that ACL or they would never be able to initiate an IPSec session.
The next ACL is the interesting traffic ACL. This is the one that says? If this traffic matches this ACL then encrypt it (or decrypt ? depending on which direction it?s going).
This is the ACL that you would put your limits on what servers and services the connecting clients can connect to. If you only want them to access your mail server vial SMTP then create your interesting traffic ACL such that only the mail server can talk to the clients via SMTP (the ACL will get mirrored on the remote side so you?re only creating the half that allows outbound traffic).Of course if you have more servers and services you can add them in.
This ACL usually reads permit IP any any for ease of setting up the IPSec tunnel and for site-to-site VPN?s that is usually what you want. But there is no reason you can?t use this ACL to lock down to be more specific.
Good Luck!
Hi,
Use vpn-filter command in the Group-policy level.
To see all answers submitted to the Answer Wiki: View Answer History.
You might have to include a config file from the PIX 506E.
Usually everything is denied until allowed with an access-list.
Hi,
Thanks for your help! But I didn’t get things to work. I tried to restrict the access-list outside_cryptomap_dyn_20, without any result. There must be something that I don’t see. Maybe you can take a look at my configuration for VPN connection.
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 10full
|
|
|
access-list Romevpn permit ip any x.x.x.x 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.14.0 255.255.255.0
access-list Paris-vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
|
|
ip local pool vpnpool 192.168.14.20-192.168.14.99
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set hpvpn esp-aes-192 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address Romevpn
crypto map vpn 10 set peer Rome
crypto map vpn 10 set transform-set hpvpn
crypto map vpn 40 ipsec-isakmp
crypto map vpn 40 match address Paris-vpn
crypto map vpn 40 set peer Paris
crypto map vpn 40 set transform-set hpvpn
crypto map vpn 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address Paris netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Rome netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-192
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 28000
isakmp policy 25 authentication pre-share
isakmp policy 25 encryption 3des
isakmp policy 25 hash md5
isakmp policy 25 group 2
isakmp policy 25 lifetime 86400
vpngroup vpnclients address-pool vpnpool
vpngroup vpnclients dns-server HPAD1 x.x.x.x
vpngroup vpnclients wins-server HPAD1
vpngroup vpnclients default-domain x.local
vpngroup vpnclients idle-time 1800
vpngroup vpnclients password ********
|
|
end
Well, I better continue working with this issue..
Thanks again!
/Daniel
Daniel:
You may want to look at the example at this link:
http://www.gorlani.com/portal/topic.asp?TOPIC_ID=86&FORUM_ID=19&CAT_ID=1&Forum_Title=My+blog&Topic_Title=Cisco+PIX+VPN+filtering
Another possibility is if your server has a built-in firewall or if you have an internal router with access lists. You can limit what the VPN address pool can do.
rt
May be possible to achieve most of what you want by another method.
If reason for restriction is due to type of user using the VPN link, rather than the fact they are using the link, place VPN users in seperate group, and restrict access via AD.
Hi,
It seems that you can’t create a crypto map ACL with layer 4 restrictions (tcp) in the Cisco PIX. So maybe the AD can solve this issue. Another thought; I have a Cisco Catalyst 2950 (with EA1) on the outside of the PIX where I can possibly create a ACL…
I could skip the command sysopt connection permit-ipsec in the PIX, and just create new ACL for all of the VPN connections. But I rather don’t do this because then I have to re-configure the site-to-site VPN:s and they are working really well, and have no restrictions.
The struggle goes on…
Thanks for the AD tip!
/Daniel