ACL on the DMZ does not affect VPN Users.

Discussion in 'Cisco' started by Eddie, May 24, 2004.

  1. Eddie

    Eddie Guest

    Hello.

    I am trying setup an ACL so that select VPN clients (most of them) can
    only get to the DMZ and only to selected ports. This is with a bunch of PIX
    501 and a 515E. (Some 501 will have direct access to the internal network
    for work at home users, but I have not got that figure out yet)

    I don't want to limit the VPN tunnel because I want full access to the
    VPN clients from the internal side of the network.

    My config for the 515 is below. Everything seems to match the access-list
    80 used to bring up the VPN connection and skips over access-list 70
    applied to the dmz port.

    Any pointers?
    Thanks,
    Eddie

    ###########################################################
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50

    hostname RSC
    domain-name example.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol smtp 25
    names
    pager lines 24
    no logging on

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto


    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500

    ip address outside 200.200.200.215 255.255.255.0
    ip address inside 172.16.1.5 255.255.0.0
    ip address dmz 172.30.1.1 255.255.0.0


    arp timeout 14400

    :Store 201
    access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    nat 0 access-list 80


    ::Needed so the clients on the VPN can talk to the servers on the DMZ
    static (dmz,outside) 172.30.0.0 172.30.0.0


    :#####################################################
    :ACL for DMZ systems
    :We will also need to give the DMZ limited internet access.

    :Limited Access from Stores
    access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 80
    access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 8080
    access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 22
    access-list 70 permit udp any 172.30.0.0 255.255.0.0 eq 53

    :Full Access from office
    access-list 70 permit ip 172.16.0.0 255.255.0.0 any

    :We do like to ping
    access-list 70 permit icmp any any echo-reply

    :Deny everything else
    access-list 70 deny ip any any

    :Lets try it
    access-group 70 in interface dmz
    :##################################################



    nat (inside) 1 0 0

    global (outside) 1 interface

    route outside 0.0.0.0 0.0.0.0 200.200.200.210

    no rip outside passive
    no rip outside default
    no rip inside passive
    no rip inside default
    no rip dmz passive
    no rip dmz default


    timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    timeout rpc 0:10:00 h323 0:05:00
    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-aes-256

    :Store201
    crypto map ToStore201 10 ipsec-isakmp
    crypto map ToStore201 10 match address 80
    crypto map ToStore201 10 set peer 200.200.200.201
    crypto map ToStore201 10 set transform-set strong
    crypto map ToStore201 interface outside

    isakmp enable outside
    isakmp key cisco1234 address 200.200.200.201 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption aes-256

    logg c 7
    logg on
     
    Eddie, May 24, 2004
    #1
    1. Advertising

  2. In article <>,
    Eddie <> wrote:
    :I am trying setup an ACL so that select VPN clients (most of them) can
    :eek:nly get to the DMZ and only to selected ports.

    :My config for the 515 is below. Everything seems to match the access-list
    :80 used to bring up the VPN connection and skips over access-list 70
    :applied to the dmz port.

    :access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    :nat 0 access-list 80

    :crypto map ToStore201 10 match address 80

    Do not use the same access-list for both nat 0 and for crypto map.
    If your nat 0 list happens to have the same contents as your crypto
    map access-list, then use two different lists that have the same
    entries.

    The reason you need to do this is that the access-lists get altered
    internally to impliment adaptive security, so your SA's get messed up.
    --
    Those were borogoves and the momerathsoutgrabe completely mimsy.
     
    Walter Roberson, May 24, 2004
    #2
    1. Advertising

  3. Eddie

    Eddie Guest

    On Mon, 24 May 2004 12:47:02 -0700, Walter Roberson wrote:

    > In article <>, Eddie
    > <> wrote:
    > :I am trying setup an ACL so that select VPN clients (most of them) can
    > :eek:nly get to the DMZ and only to selected ports.
    >
    > :My config for the 515 is below. Everything seems to match the
    > :access-list 80 used to bring up the VPN connection and skips over
    > :access-list 70 applied to the dmz port.
    >
    > :access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0
    > :255.255.255.0 nat 0 access-list 80
    >
    > :crypto map ToStore201 10 match address 80
    >
    > Do not use the same access-list for both nat 0 and for crypto map. If
    > your nat 0 list happens to have the same contents as your crypto map
    > access-list, then use two different lists that have the same entries.
    >
    > The reason you need to do this is that the access-lists get altered
    > internally to impliment adaptive security, so your SA's get messed up.



    Oh, ok. I got that example from Cisco's site. :)

    Then do I want to put the ACL to control access on the nat 0 then?

    Thanks
    Eddie
     
    Eddie, May 24, 2004
    #3
  4. Eddie

    Eddie Guest

    After a bunch of searching, I found out I have to remove "sysopt connection
    permit-ipsec" for it to apply the ACL to the VPN interface.

    But now I get "No Translation group found" errors and nothing I put for a
    static line does anything.

    -oh joy




    On Mon, 24 May 2004 12:11:47 -0700, Eddie wrote:

    > Hello.
    >
    > I am trying setup an ACL so that select VPN clients (most of them) can
    > only get to the DMZ and only to selected ports. This is with a bunch of
    > PIX 501 and a 515E. (Some 501 will have direct access to the internal
    > network for work at home users, but I have not got that figure out yet)
    >
    > I don't want to limit the VPN tunnel because I want full access to the
    > VPN clients from the internal side of the network.
    >
    > My config for the 515 is below. Everything seems to match the
    > access-list 80 used to bring up the VPN connection and skips over
    > access-list 70 applied to the dmz port.
    >
    > Any pointers?
    > Thanks,
    > Eddie
    >
    > ########################################################### nameif
    > ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmz security50
    >
    > hostname RSC
    > domain-name example.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol smtp 25
    > names
    > pager lines 24
    > no logging on
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    >
    >
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    >
    > ip address outside 200.200.200.215 255.255.255.0 ip address inside
    > 172.16.1.5 255.255.0.0 ip address dmz 172.30.1.1 255.255.0.0
    >
    >
    > arp timeout 14400
    >
    > :Store 201
    > access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0
    > 255.255.255.0 nat 0 access-list 80
    >
    >
    > ::Needed so the clients on the VPN can talk to the servers on the DMZ
    > static (dmz,outside) 172.30.0.0 172.30.0.0
    >
    >
    > :##################################################### ACL for DMZ
    > :systems
    > :We will also need to give the DMZ limited internet access.
    >
    > :Limited Access from Stores
    > access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 80 access-list
    > 70 permit tcp any 172.30.0.0 255.255.0.0 eq 8080 access-list 70 permit
    > tcp any 172.30.0.0 255.255.0.0 eq 22 access-list 70 permit udp any
    > 172.30.0.0 255.255.0.0 eq 53
    >
    > :Full Access from office
    > access-list 70 permit ip 172.16.0.0 255.255.0.0 any
    >
    > :We do like to ping
    > access-list 70 permit icmp any any echo-reply
    >
    > :Deny everything else
    > access-list 70 deny ip any any
    >
    > :Lets try it
    > access-group 70 in interface dmz
    > :##################################################
    >
    >
    >
    > nat (inside) 1 0 0
    >
    > global (outside) 1 interface
    >
    > route outside 0.0.0.0 0.0.0.0 200.200.200.210
    >
    > no rip outside passive
    > no rip outside default
    > no rip inside passive
    > no rip inside default
    > no rip dmz passive
    > no rip dmz default
    >
    >
    > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    > timeout rpc 0:10:00 h323 0:05:00
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set strong esp-aes-256
    >
    > :Store201
    > crypto map ToStore201 10 ipsec-isakmp crypto map ToStore201 10 match
    > address 80 crypto map ToStore201 10 set peer 200.200.200.201 crypto map
    > ToStore201 10 set transform-set strong crypto map ToStore201 interface
    > outside
    >
    > isakmp enable outside
    > isakmp key cisco1234 address 200.200.200.201 netmask 255.255.255.255
    > isakmp policy 8 authentication pre-share isakmp policy 8 encryption
    > aes-256
    >
    > logg c 7
    > logg on
     
    Eddie, May 25, 2004
    #4
  5. In article <>,
    Eddie <> wrote:
    :After a bunch of searching, I found out I have to remove "sysopt connection
    :permit-ipsec" for it to apply the ACL to the VPN interface.

    :But now I get "No Translation group found" errors and nothing I put for a
    :static line does anything.

    :> nat (inside) 1 0 0

    :> global (outside) 1 interface

    I notice you don't have a nat (dmz), and you don't have a global (dmz).
    The nat (dmz) is needed to allow the dmz to talk to the outside unless
    everything in the dmz is static (dmz,outside) or nat (dmz) 0 access-list'd.
    The global (dmz) is needed to allow the inside to talk to the dmz unless
    everything on the inside is static (inside,dmz) or
    nat (inside) 0 access-list'd
    --
    Inevitably, someone will flame me about this .signature.
     
    Walter Roberson, May 25, 2004
    #5
  6. Eddie

    Eddie Guest

    Thaks for the tip. I have not gotten to setting up PAT for the DMZ to
    outside yet. Everything else is static with nat 0 and access list.


    Eddie



    On Tue, 25 May 2004 15:12:00 -0700, Walter Roberson wrote:

    > In article <>, Eddie
    > <> wrote:
    > :After a bunch of searching, I found out I have to remove "sysopt
    > :connection permit-ipsec" for it to apply the ACL to the VPN interface.
    >
    > :But now I get "No Translation group found" errors and nothing I put for
    > :a static line does anything.
    >
    > :> nat (inside) 1 0 0
    >
    > :> global (outside) 1 interface
    >
    > I notice you don't have a nat (dmz), and you don't have a global (dmz).
    > The nat (dmz) is needed to allow the dmz to talk to the outside unless
    > everything in the dmz is static (dmz,outside) or nat (dmz) 0
    > access-list'd. The global (dmz) is needed to allow the inside to talk to
    > the dmz unless everything on the inside is static (inside,dmz) or nat
    > (inside) 0 access-list'd
     
    Eddie, May 26, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    865
    Walter Roberson
    Dec 7, 2004
  2. Andrew McDonald

    Nikon VR, how does it affect battery life?

    Andrew McDonald, Dec 3, 2003, in forum: Digital Photography
    Replies:
    4
    Views:
    1,847
    Rodney Myrvaagnes
    Dec 4, 2003
  3. Mike Harris

    Why does ISO affect storage space?

    Mike Harris, Jun 18, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    341
    Phil Wheeler
    Jun 18, 2004
  4. Nathan Gutman

    How does the new Micrsoft's color applet affect display?

    Nathan Gutman, Jan 18, 2006, in forum: Digital Photography
    Replies:
    3
    Views:
    313
    Nathan Gutman
    Jan 19, 2006
  5. Replies:
    19
    Views:
    592
    Ralph Wade Phillips
    Aug 23, 2006
Loading...

Share This Page