|

Computer Security

»

»

Firewall Discussions

»

Firewall Wizards

Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"

View: New views

6 Messages — Rating Filter: Alert me

	Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Michael Tewner-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all - I'm using a Cisco ASA 5500 series appliance with ASDM 6.1. As I understand it, by default, incoming packets from IPsec site-to-site VPN's are not checked by the standard interface ACL's - (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from a specific remote host to a local host/LAN? (2) I found that following checkbox in the "IPsec VPN Wizard" which might be a step in the right direction - "Enable inbound IPsec sessions to bypass interface access lists." (a) Is this the proper setting? (b) I assume that this will send the incoming traffic through the "outside" interface? right? (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will this apply to my other VPN's? (d) What Cisco ASA/PIX command does this translate to (e) Is there a screen in the ASDM where I can enable this after-the-fact? (3) Or, perhaps, I'm looking in completely the wrong place? Thank you!! -Mike _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Farrukh Haroon :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello Mike You can do this using the vpn-filter command, the following are GUI and CLI links: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml The second option you mention translted to the following CLI command sysopt connection permit-vpn http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414 By default due to this command enable, all VPN Tunnels terminted ON the appliance itself are permitted and the interface ACL does not need to permit IKE,NAT-T (UDP 4500), ESP etc. If you disable it, then you need to specfically allow VPN traffic on the ACL. Regards Farrukh On Wed, May 13, 2009 at 2:31 PM, Michael Tewner <tewner@...> wrote: Hi all - I'm using a Cisco ASA 5500 series appliance with ASDM 6.1. As I understand it, by default, incoming packets from IPsec site-to-site VPN's are not checked by the standard interface ACL's - (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from a specific remote host to a local host/LAN? (2) I found that following checkbox in the "IPsec VPN Wizard" which might be a step in the right direction - "Enable inbound IPsec sessions to bypass interface access lists." (a) Is this the proper setting? (b) I assume that this will send the incoming traffic through the "outside" interface? right? (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will this apply to my other VPN's? (d) What Cisco ASA/PIX command does this translate to (e) Is there a screen in the ASDM where I can enable this after-the-fact? (3) Or, perhaps, I'm looking in completely the wrong place? Thank you!! -Mike _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Paul Melson-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, May 13, 2009 at 7:31 AM, Michael Tewner <tewner@...> wrote: > As I understand it, by default, incoming packets from IPsec site-to-site > VPN's are not checked by the standard interface ACL's - > > (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from > a specific remote host to a local host/LAN? I don't believe this is default behavior, and it's certainly easy enough to configure. You can use the interface-bound access lists to control VPN traffic. > (2) I found that following checkbox in the "IPsec VPN Wizard" which might be > a step in the right direction - "Enable inbound IPsec sessions to bypass > interface access lists." > (a) Is this the proper setting? Yes, this is just the ASDM/PDM checkbox for the 'sysopt connection permit-ipsec' command. If you unset that option in your config, IPSec traffic will be subject to the same access lists that unencrypted traffic is. > (b) I assume that this will send the incoming traffic through the > "outside" interface? right? Yes, the access-group that is configured for "in interface outside" will affect traffic being decrypted by your firewall. Similarly, the access-group configured for "in interface inside" (if you do egress filtering) will affect traffic being encrypted. > (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will > this apply to my other VPN's? Yes, all of your IPSec tunnels, anyway. I don't know for certain, but I think SSL VPN connections are unaffected by this setting. > (d) What Cisco ASA/PIX command does this translate to sysopt connection permit-ipsec > (e) Is there a screen in the ASDM where I can enable this > after-the-fact? No idea. I've never been a fan of ASDM/PDM. > (3) Or, perhaps, I'm looking in completely the wrong place? I'd say you're right on track. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Eric G-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On the ASA, in ASDM there are connection profiles for each VPN tunnel you setup. If you 'edit' the connection profile for the tunnel you're trying to restrict, there's an "Advanced" dropdown. Under the advanced dropdown, there's a 'Tunnel group." Under that tunnel group, there's a "Default Group Policy" _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Eric G-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Sorry I accidentally sent that last email prematurely... anyway under "Default Group Policy" if you click manage there should be a "DfltGrpPolicy." You can create your own custom Group Policy for this tunnel, and specify a filter for this group policy. The filter you select is just an extended access list, and your "source" is the remote network from your VPN peer, "destination" is your local networks on your local ASA. Here's the obligatory Cisco link that explains all this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml -- Eric http://nixwizard.net _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" by Michael Tewner-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks Eric - That seems to be what I was missing. By creating a new Group Policy, I can make this transition one tunnel at a time, instead of creating all the rules I THINK I'll need, moving to interface ACL's, and praying for the best.... Thank you Paul and Farrukh for your informative answers! -Mike On Sat, May 16, 2009 at 10:37 PM, Eric Gearhart <eric@...> wrote: Sorry I accidentally sent that last email prematurely... anyway under "Default Group Policy" if you click manage there should be a "DfltGrpPolicy." You can create your own custom Group Policy for this tunnel, and specify a filter for this group policy. The filter you select is just an extended access list, and your "source" is the remote network from your VPN peer, "destination" is your local networks on your local ASA. Here's the obligatory Cisco link that explains all this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml -- Eric http://nixwizard.net _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards