[c-nsp] ASA VPN <-> DMZ

Josh Farrelly josh at base-2.co.nz
Thu Jun 7 18:14:43 EDT 2012


You should be able to use the VPN filter.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/v
pn_groups.html#wpxref83949

"A vpn-filter command is applied to post-decrypted traffic after it
exits a tunnel and pre-encrypted traffic before it enters a tunnel. An
ACL that is used for a vpn-filter should NOT also be used for an
interface access-group. When a vpn-filter command is applied to a group
policy that governs Remote Access VPN client connections, the ACL should
be configured with the client assigned IP addresses in the src_ip
position of the ACL and the local network in the dest_ip position of the
ACL."

In essence, you need to configure the ACL inverse from what you think
(e.g. switch the src & dst entries). Also keep in mind it governs
traffic in both directions.

Regards,

Josh Farrelly


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura
Sent: Friday, 8 June 2012 1:29 a.m.
To: cisco-nsp
Subject: [c-nsp] ASA VPN <-> DMZ

So, the set up is, ASA has inside and DMZ interface.  DMZ being the
lower security level than the inside interface for obvious reasons.
>From the ASA, L2L IPSec tunnel to another location, where crypto map ACL
covers the subnet for inside and DMZ interface IP subnets.

As far as I know, this automatically lets remote VPN site to communicate
with Inside and DMZ hosts and Inside/DMZ hosts can communicate with
remote VPN site without any firewalling.

Is there any way to let remote VPN site to initiate traffic to DMZ but
not let DMZ initiate traffic to the remote VPN?  I know I can apply a
"VPN filter" to the L2L tunnel but that's not stateful inspection.

Thanks!
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list