VPN landing on outside interface. How to ACL it and not let internet in.

From what I have been reading and trying to setup my network. (35+ PIX501
VPN into a 515) it seems like the VPNs comes in on the "outside"
interface.
I need to have ACL so that VPN users can only access select services on
the DMZ, but how can I do this and stop someone on the internet from
spoofing the IP to one that is permitted in an ACL and getting in?

Thank you
Eddie

 

:From what I have been reading and trying to setup my network. (35+ PIX501
:VPN into a 515) it seems like the VPNs comes in on the "outside"
:interface.

Yes, unless you are configuring a "management interface" which is
strictly for controlling the PIX itself.

:I need to have ACL so that VPN users can only access select services on
:the DMZ, but how can I do this and stop someone on the internet from
:spoofing the IP to one that is permitted in an ACL and getting in?

- If you use private IP spaces, then if someone does forge a packet
into that space, there is no way for responses to get back because
your router is just going to drop the packets (you are RFC 1918
compliant, right?). TCP is thus safe from this approach. UDP isn't, though.

- Use private IP spaces and block those private spaces incoming
at your router. The VPN traffic encapsulates the private IPs so the
router doesn't know the packet is carrying the private IP and so will
not block the VPN traffic. You then know that any traffic in those
spaces that reaches your PIX was carried on the VPN (unless you made
an error in your router filters.)

- Instead of using IPSec, use EZVPN and have the 515 allocate the IP
addresses, and use split-acl's so that as little traffic on those
IPs as practical is directed to your PIX. Block the rest out at your
outside ACL. I think the combination of Adaptive Security and EZVPN
will open pinholes in your outside ACL as necessary for the allocated
IPs, but I am not sure about that.

 

you could use tunnel split and differnet groups.

How do you mean ?
you can enable antispoofing:
ip verify reverse-path interface outside
But the internet users will never pop into a tunnel !
or maybe you do not use :sysopt connection permit-ipsec ??
and the VPN users IP are hopefully private IPs.


wkr,
Martin Bilgrav

 

Here is my problem. The DMZ is 172.30.0.0/16 and the VPN is
172.20.201.0/8, 172.20.202.0/8, 172.20.203.0/8 and on up to some 35+
connections. (bunch of PIC 501 and a 515)


I don't want to trust anything that comes from a VPN. The VPN hosts
(small subnets with a PIX 501) only need proxy access to a server on the
DMZ.(however, I do need access from some systems(on the inside) to access the hosts on
the VPN with unlimited access so I can fix problems, upload patches, poll
data, etc. So I don't want to limit this by restricting the VPN tunnel)

This is from memory since I left it at work.

access-list 101 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
access-list 101 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
access-list 101 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
access-list 101 deny ip any 172.30.0.0 255.255.0.0
access-list 101 deny ip any any :for logging
access-group 101 in interface outside

This is the only way I have found to limit access, it works, but it opens up a
hole, maybe a small one, but still a hole so that anyone can craft a
packet with a src 172.20.0.0/16 and dst 172.30.0.0/16 and pass a packet
to the proxy server.

How would I set this up as a split-acl?

The EZVPN is nice, but does not offer the fine ACL control I am looking
for.

Thank you
Eddie

 

:Here is my problem. The DMZ is 172.30.0.0/16 and the VPN is
:172.20.201.0/8, 172.20.202.0/8, 172.20.203.0/8 and on up to some 35+
:connections. (bunch of PIC 501 and a 515)

That is a problem. 172.20.201.0/8 is the same as 172.0.0.0/8
which overlaps with 172.30.0.0/16 . All your VPN connections and your
DMZ share the same subnet.

 

Sorry, my bad. That is a typo. 172.20.201.0/24 is the correct address for
the VPNs.

Thanks
Eddie