VPN landing on outside interface. How to ACL it and not let internet in.

Discussion in 'Cisco' started by Eddie, May 25, 2004.

  1. Eddie

    Eddie Guest

    From what I have been reading and trying to setup my network. (35+ PIX501
    VPN into a 515) it seems like the VPNs comes in on the "outside"
    interface.
    I need to have ACL so that VPN users can only access select services on
    the DMZ, but how can I do this and stop someone on the internet from
    spoofing the IP to one that is permitted in an ACL and getting in?

    Thank you
    Eddie
     
    Eddie, May 25, 2004
    #1
    1. Advertisements

  2. :From what I have been reading and trying to setup my network. (35+ PIX501
    :VPN into a 515) it seems like the VPNs comes in on the "outside"
    :interface.

    Yes, unless you are configuring a "management interface" which is
    strictly for controlling the PIX itself.

    :I need to have ACL so that VPN users can only access select services on
    :the DMZ, but how can I do this and stop someone on the internet from
    :spoofing the IP to one that is permitted in an ACL and getting in?

    - If you use private IP spaces, then if someone does forge a packet
    into that space, there is no way for responses to get back because
    your router is just going to drop the packets (you are RFC 1918
    compliant, right?). TCP is thus safe from this approach. UDP isn't, though.

    - Use private IP spaces and block those private spaces incoming
    at your router. The VPN traffic encapsulates the private IPs so the
    router doesn't know the packet is carrying the private IP and so will
    not block the VPN traffic. You then know that any traffic in those
    spaces that reaches your PIX was carried on the VPN (unless you made
    an error in your router filters.)

    - Instead of using IPSec, use EZVPN and have the 515 allocate the IP
    addresses, and use split-acl's so that as little traffic on those
    IPs as practical is directed to your PIX. Block the rest out at your
    outside ACL. I think the combination of Adaptive Security and EZVPN
    will open pinholes in your outside ACL as necessary for the allocated
    IPs, but I am not sure about that.
     
    Walter Roberson, May 25, 2004
    #2
    1. Advertisements

  3. you could use tunnel split and differnet groups.
    How do you mean ?
    you can enable antispoofing:
    ip verify reverse-path interface outside
    But the internet users will never pop into a tunnel !
    or maybe you do not use :sysopt connection permit-ipsec ??
    and the VPN users IP are hopefully private IPs.


    wkr,
    Martin Bilgrav
     
    Martin Bilgrav, May 25, 2004
    #3
  4. Eddie

    Eddie Guest

    Here is my problem. The DMZ is 172.30.0.0/16 and the VPN is
    172.20.201.0/8, 172.20.202.0/8, 172.20.203.0/8 and on up to some 35+
    connections. (bunch of PIC 501 and a 515)


    I don't want to trust anything that comes from a VPN. The VPN hosts
    (small subnets with a PIX 501) only need proxy access to a server on the
    DMZ.(however, I do need access from some systems(on the inside) to access the hosts on
    the VPN with unlimited access so I can fix problems, upload patches, poll
    data, etc. So I don't want to limit this by restricting the VPN tunnel)

    This is from memory since I left it at work.

    access-list 101 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    access-list 101 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    access-list 101 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    access-list 101 deny ip any 172.30.0.0 255.255.0.0
    access-list 101 deny ip any any :for logging
    access-group 101 in interface outside

    This is the only way I have found to limit access, it works, but it opens up a
    hole, maybe a small one, but still a hole so that anyone can craft a
    packet with a src 172.20.0.0/16 and dst 172.30.0.0/16 and pass a packet
    to the proxy server.

    How would I set this up as a split-acl?

    The EZVPN is nice, but does not offer the fine ACL control I am looking
    for.

    Thank you
    Eddie
     
    Eddie, May 26, 2004
    #4
  5. :Here is my problem. The DMZ is 172.30.0.0/16 and the VPN is
    :172.20.201.0/8, 172.20.202.0/8, 172.20.203.0/8 and on up to some 35+
    :connections. (bunch of PIC 501 and a 515)

    That is a problem. 172.20.201.0/8 is the same as 172.0.0.0/8
    which overlaps with 172.30.0.0/16 . All your VPN connections and your
    DMZ share the same subnet.
     
    Walter Roberson, May 28, 2004
    #5
  6. Eddie

    Eddie Guest

    Sorry, my bad. That is a typo. 172.20.201.0/24 is the correct address for
    the VPNs.

    Thanks
    Eddie
     
    Eddie, May 28, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.