RE: No Sysop connection permit IPSEC
From: Brent Schultz (brent@mail.happens.com)
Date: Thu Feb 06 2003 - 22:51:21 GMT-3
Ahh� VPN clients� I was talking about LAN-to-LAN VPN�
I assume that what you�re after is something like this:
-When the user �bob� connects with the VPN client, he can access host_A for telnet access only.
-When the user �jane� connects with the VPN client, she can access only host_B for ftp access only.
-When the user �admin� connects with the VPN client, he can access host_A for telnet, host_B for ftp and host_C for http.
Host_A 10.1.1.10
Host_B 10.1.1.11
Host_C 10.1.1.12
RADIUS server 10.1.1.100
The way that I deal with this is to use individual access-list for each user access-level (i.e. three access lists, where one allows only access to host_A for telnet, one allows only access to host_B for ftp, and one allows access to host_A for telnet, host_B for ftp, and host_C for http). Then apply the �permission levels� to the users using a RADIUS server and the RADIUS filter-id attribute.
Here is what a possible config would look like:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
�
access-list outside � (any existing commands, none needed for ipsec when using the �sysopt connection permit-ipsec� command)
access-list vpn-user permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpn-user-telnetonly 10.1.1.0 255.255.255.0 host 10.1.1.10 eq 23
access-list vpn-user-ftponly 10.1.1.0 255.255.255.0 host 10.1.1.11 range 20 21
access-list vpn-user-admin 10.1.1.0 255.255.255.0 host 10.1.1.10 eq 23
access-list vpn-user-admin 10.1.1.0 255.255.255.0 host 10.1.1.11 range 20 21
access-list vpn-user-admin 10.1.1.0 255.255.255.0 host 10.1.1.12 eq 80
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
�
ip address outside 1.1.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
�
ip local pool vpn-client 192.168.1.1-192.168.1.254
�
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
�
access-group outside in interface outside
�
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.1.100 secret timeout 20
�
sysopt connection permit-ipsec
�
crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac
crypto dynamic-map vpn-dynmap 10 set transform-set vpn-set
crypto map vpn-map 10 ipsec-isakmp dynamic vpn-dynmap
crypto map vpn-map client authentication RADIUS
crypto map vpn-map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 300
vpngroup vpngroup address-pool vpn-client
vpngroup vpngroup split-tunnel vpn-user
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password xx
Then on the RADIUS server set the filter-id for bob to vpn-user-telnetonly, for jane to vpn-user-ftponly, and for admin to vpn-user-admin.
In this example I show using the �sysopt connection permit-ipsec� command, you can do it either way (if you didn�t want to use it, you would want to add an entry to the outside access-list to allow ip traffic from the vpn client pool to the LAN).
In this example and the previous one non-encrypted traffic is still not being allowed in; so either has maintained the security on the inside network.
Hopefully you can see how the access lists are being applied (when the RADIUS server returns the filter-id to the PIX, the matching access-list is applied to that user session).
-Brent
---------- Original Message ----------------------------------
From: "Stong, Ian C [GMG]" <Ian.C.Stong@mail.sprint.com>
Date: Thu, 6 Feb 2003 14:33:22 -0600
>Yes the lists are pretty simple. My thoughts were more along the lines of
>the following scenario.
>
>Typically the vpn clients are dialing in or on networks where dhcp is used.
>As such the source IP is typically unknown ahead of time. So the typical
>setup would either be to use no sysop connection permit IPSEC or to use
>acl's that permit any host but only to specific hosts and ports internally.
>
>Assuming you agree - where do you apply to acl's in the config (i.e. how
>referenced)? Also this doesn't open up the network to the public per se but
>rather just limits more specifically the IPSEC traffic that is passing
>through the PIX - correct?
>
>
>Thanks,
>
>Ian
>
>
>-----Original Message-----
>From: Brent Schultz [mailto:brent@mail.happens.com]
>Sent: Thursday, February 06, 2003 2:59 PM
>To: ccielab@groupstudy.com
>Subject: RE: No Sysop connection permit IPSEC
>
>
>Ian-
>
>For this example, say that we want to allow the following over the vpn:
>-allow ICMP traffic to and from LAN_A to and from LAN_B
>-only host_A to be able to telnet to host_B and no other traffic originating
>from LAN_A destine for any host on LAN_B
>-any host on LAN_B to be able to ftp to host_A and no other traffic
>originating from LAN_B destine for any host on LAN_A
>
>
>host_A ---LAN_A---PIX_A---internet---PIX_B---host_B---LAN_B
>
>LAN_A 10.1.1.0/24
>host_A 10.1.1.10
>
>LAN_B 192.168.1.0/24
>host_B 192.168.1.10
>
>PIX_A access-lists:
>access-list outside permit icmp 192.168.1.0 255.255.255.0 10.1.1.0
>255.255.255.0
>access-lsit outside permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.10
>range 20 21
>access-list outside ... (any existing)
>access-list vpn permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
>access-list no-nat permit ip 10.1.1.0 255.255.255.0 192.168.1.0
>255.255.255.0
>
>PIX_B access-lists:
>access-list outside permit icmp 10.1.1.0 255.255.255.0 192.168.1.0
>255.255.255.0
>access-list outside permit tcp host 10.1.1.10 host192.168.1.10 eq 23
>access-list outside ... (any existing)
>access-list vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
>access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.1.1.0
>255.255.255.0
>
>
>It really is pretty easy.
>
>-Brent
>
>---------- Original Message ----------------------------------
>From: "Stong, Ian C [GMG]" <Ian.C.Stong@mail.sprint.com>
>Date: Thu, 6 Feb 2003 12:48:33 -0600
>
>>I'd be interested as well as I would prefer to lock down the inbound IPSEC
>>connections to specific ports and hosts if possible.
>>
>>Thanks
>>
>>-----Original Message-----
>>From: Brent Schultz [mailto:brent@mail.happens.com]
>>Sent: Thursday, February 06, 2003 1:20 PM
>>To: Ccielab group study
>>Subject: Re: No Sysop connection permit IPSEC
>>
>>
>>Josh-
>>
>>I am successfully doing this on several installs (mainly PIX to checkpoint,
>>but I do have a couple of PIX to PIX).
>>I have not had any real issues (other that changing how I was thinking
>>about/approaching the configs).
>>If you would like to look at a working config or have any specific
>>questions, I would be happy to help.
>>
>>-Brent
>>
>>---------- Original Message ----------------------------------
>>From: "Perrymon, Josh L." <PerrymonJ@bek.com>
>>Reply-To: "Perrymon, Josh L." <PerrymonJ@bek.com>
>>Date: Thu, 6 Feb 2003 10:59:35 -0600
>>
>>>Question,
>>>
>>>The command " Sysop Connection Permit IPSEC"
>>>allows all IPSEC traffic to come inbound the firewall and bypass ACL's .
>>>It relies on the crypto map to verify encryption domains.
>>>
>>>I would like to remove the sysop connection permit IPSEC so I can control
>>>access to ports on certain servers.
>>>
>>>I now it will work- BUT, is anyone else doing this... And what has your
>>>experience been with this.
>>>I know that the crypto maps know to allow IPSEC ports but then I have to
>>>allow IP traffic.
>>>
>>>
>>>Any Ideas.. Or thoughts...
>>>
>>>Joshua Perrymon
>>>Network Security Consultant
>>>BE&K Information Security Dept.
>>>2000 International Park Drive
>>>Birmingham, Al 35243
>>>Voice ( 205 ) 972-6745
>>>.
>>.
>.
.
This archive was generated by hypermail 2.1.4
: Sat Mar 01 2003 - 11:06:14 GMT-3