ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Locking down vpn tunnels

Sat Sep 01, 2007 1:25 pm

Hello all,

I am still musing with the idea of using an asa5510 to terminate all our vpn connections instead of our 3005.

As I understand, the "sysopt connection permit-vpn" allows incoming vpn tunnels to bypass access lists. First of all, is this true? Second of all, is there a way to run vpn traffic through predefined access lists to be able to lock down vpn traffic according to standard access lists?

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Sun Sep 02, 2007 12:14 pm

According to chapter 21 of The Complete Cisco VPN Configuration Guide, the way to do what I am asking is to write manual access lists to permit ipsec/isakmp traffic.

Using this method, one must manually write access lists to permit all ports used by ipsec/isakmp components to allow this traffic into a firewall. This method makes it so packets are checked against access lists twice: once when coming in as ipsec traffic, and again once decrypted as plaintext packets. This allows one to match only desired traffic using the second, more stringent access list.

The alternative is using the "sysopt connection permit-vpn" command. This is also known as ACL bypassing, hence, you cannot restrict traffic further, since the access lists are written for you using this command.

Another method (usable only for 7.0 and higher) is using the "sysopt connection permit-vpn" command on an outside interface, and writing more restrictive access lists outgoing on an inside interface. This method enables one to allow all ipsec/isakmp traffic into the firewall while restricting where the traffic can go from there.

So I guess my best bet is to write access lists manually to lock down the tunnels to the utmost.

steve_j
Post Whore
Posts:
1184
Joined:
Tue Aug 28, 2007 5:53 pm

Mon Sep 03, 2007 2:22 pm

How do you like that book? I bought the ipsec vpn fundamentals to get a better understanding. It is good, glad I bought it. I have the Complete VPN book on my bookslef at safri which has been helpful for quick answers.

On the ACL topic, would taking this task on with manual written acl be a pain for you?

Why use easy vpn, it seems a cicnh to setup and admin, provided your s2s are manged by you?

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Mon Sep 03, 2007 2:45 pm

I love the book... It's sheer heft is pretty astonishing too, I don't think I could read through it cover to cover, but I can't tell you how many times its helped me out of a tough situation. Literally any component of Cisco vpns is covered in detail in that book. Really good book to keep next to your desk.

The acl configuration really isn't bad either, you just have to add three access lists defining particular ipsec stuff and then several more defining what traffic you will allow. In my opinion, that's a small price to pay for the flexibility added. I deal with vpns between somewhat trusted peers quite a bit, and it's really nice to be able to secure tunnels with access lists like that. Depending on the implementation, using the "sysopt connection permit-vpn" command with outbound access lists on an internal interface would be nice too.

I don't use easy vpn for a few reasons, the most important of which is that my remote peers aren't managed by me, or even by my company. The second reason is that most of the time the remote peers aren't Cisco boxes.

steve_j
Post Whore
Posts:
1184
Joined:
Tue Aug 28, 2007 5:53 pm

Mon Sep 03, 2007 5:45 pm

would you recommend it if you had say 15 plus sites that you managed with DIA t1's and broadband connections?

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Mon Sep 03, 2007 7:41 pm

Would I recommend what? Easy vpn or the access list configuration?

vivek283
CCIE #17621
Posts:
446
Joined:
Thu Oct 06, 2005 12:38 pm
Certs:
CCIE - Security, R&S. RHCE. CISSP

re

Tue Sep 04, 2007 5:28 am

Hi,

In case of a remote access VPN on ASA - filters can be used instead of using an interface ACL with "no sysopt conn permit-vpn". Using interface ACL can be a nightmare since it will run into many ACEs as sites increase and requirements change.

In case of a L2L VPN the crypto map ACL can be used to restrict what each site can access.

My 2 cents.

Regards,
Vivek

steve_j
Post Whore
Posts:
1184
Joined:
Tue Aug 28, 2007 5:53 pm

Tue Sep 04, 2007 8:16 am

ibarrere wrote:Would I recommend what? Easy vpn or the access list configuration?


My fault it was dinner time when i sent the last message.

Easy VPN.

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Tue Sep 04, 2007 11:53 am

Thanks vivek, good input. I suppose you could lock down traffic to some extent using the crypto map acl since phase2 would fail if the access lists were mismatched.

It depends on what you want, steve_j. If all those sites are cisco, you manage them all, and you want an easy solution, easy vpn is a good choice. However, I'm always a bit wary of things that do important things automatically, so I always like to do stuff by hand unless there is a compelling reason why I shouldn't.

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Tue Sep 04, 2007 8:41 pm

Heads-up: I have been doing some testing with the other method I mentioned (using outbound access list and sysopt command) to restrict some traffic on a lab network I have. The verdict is that the combination of the two doesn't seem to work.

According to the author of that book, it does work, but I'm not convinced. I had an access list blocking ssh traffic and allowing all other traffic applied outbound to an inside interface, but this access list did not work with the "sysopt connection permit-vpn" command. That command seems to bypass any and all access lists, include those that don't reside on the outside interface.

I just wanted to warn people in case they decide to go that route. I have found that the most flexible solution is simply writing explicit access lists for all traffic and removing the "sysopt connection permit-vpn" command.

Good luck

'

Return to Cisco Security

Who is online

Users browsing this forum: clatapare, dionenrectutt, JackkeynC, JanekeynC and 37 guests