[c-nsp] ASA VPN <-> DMZ

Vinny Abello vinny at abellohome.net
Fri Jun 8 09:52:44 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alternately, you can also change the default behavior of the ASA by issuing:

no sysopt connection permit-vpn

This will cause all traffic from VPN tunnels to be subject to the access-lists on the ingress interface. Note that Cisco recommends using the vpn-filter method. But again, it's bidirectional, so it's kind of a one off thing in the behavior of access-lists in the ASA. Making tunnels subject to the interface access-list seems to be more consistent in my mind, but again it's not the Cisco recommended configuration.

- -Vinny

On 6/7/2012 6:14 PM, Josh Farrelly wrote:
> You should be able to use the VPN filter.
> 
> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/v
> pn_groups.html#wpxref83949
> 
> "A vpn-filter command is applied to post-decrypted traffic after it
> exits a tunnel and pre-encrypted traffic before it enters a tunnel. An
> ACL that is used for a vpn-filter should NOT also be used for an
> interface access-group. When a vpn-filter command is applied to a group
> policy that governs Remote Access VPN client connections, the ACL should
> be configured with the client assigned IP addresses in the src_ip
> position of the ACL and the local network in the dest_ip position of the
> ACL."
> 
> In essence, you need to configure the ACL inverse from what you think
> (e.g. switch the src & dst entries). Also keep in mind it governs
> traffic in both directions.
> 
> Regards,
> 
> Josh Farrelly
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura
> Sent: Friday, 8 June 2012 1:29 a.m.
> To: cisco-nsp
> Subject: [c-nsp] ASA VPN <-> DMZ
> 
> So, the set up is, ASA has inside and DMZ interface.  DMZ being the
> lower security level than the inside interface for obvious reasons.
> From the ASA, L2L IPSec tunnel to another location, where crypto map ACL
> covers the subnet for inside and DMZ interface IP subnets.
> 
> As far as I know, this automatically lets remote VPN site to communicate
> with Inside and DMZ hosts and Inside/DMZ hosts can communicate with
> remote VPN site without any firewalling.
> 
> Is there any way to let remote VPN site to initiate traffic to DMZ but
> not let DMZ initiate traffic to the remote VPN?  I know I can apply a
> "VPN filter" to the L2L tunnel but that's not stateful inspection.
> 
> Thanks!
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk/SA6wACgkQUyX7ywEAl3o8QgCfXCpRz2Ff1ELZOOFMh62jMWGa
e9gAn2yChSzus3DgHscW2EpqKz6W9y10
=d888
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list