You are right, I had created an access-list permitting only a single IP and
then applied on the outside interface, but still ASA accept any remote VPN
initiation from any IP:
This is the access-list
" access-list FOR-OUTSIDE extended permit udp host x.x.x.25 any eq isakmp"
It should be applied for the traffic destined to the firewall itself not the
traffic passing through the firewall.
So I will try your method....
Best Regards,
==============================
Mahmoud Nossair
Network Engineer
-----Original Message-----
From: Tyson Scott [mailto:tscott_at_ipexpert.com]
Sent: Tuesday, December 14, 2010 2:01 AM
To: 'Sadiq Yakasai'; 'Ryan West'
Cc: 'karim jamali'; 'Mahmoud Nossair'; 'Cisco certification'
Subject: RE: ASA Easy VPN access problem
Based on your first requirements of only registered IP's then you only need
to allow ESP (IP protocol 50) and UDP 500. Applying this control to an ACL
is correct BUT you have to use a control-plane ACL. Filtering using the ACL
applied to the outside interface doesn't block traffic directed to the ASA
for VPN termination.
So the following would be a configuration example
object-group network ALLOWED_CLIENTS
network-object [host] <allowed source>
!
access-list CONTROL_VPN_ENDPOINTS permit esp object-group ALLOWED_CLIENTS
host <ASA_Address>
access-list CONTROL_VPN_ENDPOINTS deny esp any any
access-list CONTROL_VPN_ENDPOINTS permit udp object-group ALLOWED_CLIENTS
host <ASA_Address> eq 500
access-list CONTROL_VPN_ENDPOINTS deny udp any any eq 500
!
access-group CONTROL_VPN_ENDPOINTS in interface outside control-plane
This is a lot of overhead but is not unrealistic of your manager to request.
This does help to prevent a DDOS against the ASA to quench resources, so
depending on the sensitivity of the organization this may make sense
(Although I will say I am glad I am not the administrator of this policy).
So it is a little rash to say he needs to teach his Manager something when,
again dependent on the sensitivity of the organization, his manager does
have some merit in his requirement.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Monday, December 13, 2010 12:34 PM
To: Ryan West
Cc: karim jamali; Mahmoud Nossair; Cisco certification
Subject: Re: ASA Easy VPN access problem
This is just not a good solution. I agree with Ryan - educate your manager!
:-)
Isnt that the job of an engineer anyway? ;-)
On Mon, Dec 13, 2010 at 2:38 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Those are the correct ports, but anyone behind a nat device will fail.
> You'll want to open UDP/4500 and TCP/10000 for future users and
> troubleshooting. I would look at possible sysopt commands to force ACL
> review, but if u enable at dynamic map the firewall starts listening for
IKE
> connections from anywhere. Another option is individual tunnel-groups for
> each static IP.
>
> Probably the best option is to educate your manager.
>
> Sent from handheld
>
> On Dec 13, 2010, at 3:49 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
>
> > Dear Mahmoud,
> >
> > IPSec is a suite of protocols and not a single port. I believe deny
> ISAKMP
> > (UDP Port 500) you can as well deny ESP (IP Protocol 50) or AH (IP
> Protocol
> > 51) depending on which one you use. If you deny ISAKMP alone I guess it
> > should do the job.
> >
> > Best Regards,
> > On Mon, Dec 13, 2010 at 11:35 AM, Mahmoud Nossair <
> mahmoud.nossair_at_gmail.com
> >> wrote:
> >
> >> The ISAKMP port that will allowed on the firewall is UDP 500, am I
> >> right??? But what is the IPsec port .
> >>
> >>
> >>
> >> * *
> >>
> >> *Best Regards, *
> >>
> >> * *
> >>
> >> ==============================
> >>
> >> *Mahmoud Nossair***
> >>
> >>
> >>
> >>
> >>
> >> *From:* Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >> *Sent:* Monday, December 13, 2010 11:23 AM
> >> *To:* Mahmoud Nossair
> >> *Cc:* karim jamali; Cisco certification
> >>
> >> *Subject:* Re: ASA Easy VPN access problem
> >>
> >>
> >>
> >> A DDOS attack will happen in any event, whether you have an ACL or not.
> The
> >> 'DOS" attack will target your outside IP address on the ASA and the ASA
> > will
> >> still have to process those packets ie drop them according to the ACL.
> >>
> >>
> >>
> >>
> >>
> >> CCIE # 23962 (SP)
> >>
> >> On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <
> >> mahmoud.nossair_at_gmail.com> wrote:
> >>
> >> This is my manager policy that nobody can access our site unless he
have
> a
> >> registered/static IP address , I think he afraid of DOS attack.
> >>
> >>
> >> Best Regards,
> >>
> >> ==============================
> >> Mahmoud Nossair
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >>
> >> Sent: Monday, December 13, 2010 11:09 AM
> >> To: karim jamali
> >> Cc: Mahmoud Nossair; Cisco certification
> >> Subject: Re: ASA Easy VPN access problem
> >>
> >> I am just trying to understand why you want to do that ?
> >>
> >> Surely some of the remote users are going to have dynamic ip address's
> from
> >> time to time.
> >>
> >> CCIE # 23962 (SP)
> >>
> >> Sent from my iPhone 4
> >>
> >> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com>
> wrote:
> >>
> >>> Dear Mahmoud,
> >>>
> >>> Hope you are doing fine. I am sure there is a better way of
> implementing
> >> it
> >>> but a simple approach would be to put an ACL on the outside interface
> in
> >> the
> >>> incoming direction that will only allow ISAKMP/IPSec from certain
peers
> >>> (public ip addresses) and all other ISAKMP/IPSec traffic will be
> dropped.
> >>> Remember to allow any incoming traffic in the ACL if needed otherwise
> you
> >>> will fall to the "implicit deny".
> >>>
> >>> I am not sure if this is the best method, but I believe this should
> work.
> >>>
> >>> Best Regards,
> >>>
> >>> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
> >> <mahmoud.nossair_at_gmail.com
> >>>> wrote:
> >>>
> >>>> Thanks for replying me..
> >>>>
> >>>>
> >>>>
> >>>> My point is how can I allow only a certain IPs or Subnet (Public IPs)
> to
> >> be
> >>>> accepted as a remote VPN users?
> >>>>
> >>>>
> >>>>
> >>>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
> >> address
> >>>> "2.2.2.2", both you and I initiating a Remote VPN access, but the
ASA
> >>>> firewall will grant you access while dropping me.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Best Regards,
> >>>>
> >>>>
> >>>>
> >>>> ==============================
> >>>>
> >>>> Mahmoud Nossair
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >>>> Sent: Monday, December 13, 2010 9:52 AM
> >>>> To: Mahmoud Nossair
> >>>> Cc: ccielab_at_groupstudy.com
> >>>> Subject: Re: ASA Easy VPN access problem
> >>>>
> >>>>
> >>>>
> >>>> I dont see the point. Only users who succesfully authenticate can
gain
> >>>> access via the VPN. What Auth method are you using, radius, tacacs+,
> >> Local
> >>>> etc
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> CCIE # 23962 (SP)
> >>>>
> >>>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
> >>>> mahmoud.nossair_at_gmail.com>
> >>>> wrote:
> >>>>
> >>>> Dear Experts
> >>>>
> >>>>
> >>>>
> >>>> I had configured an Easy VPN access to the Cisco ASA 5520, but the
> >> problem
> >>>> is anybody from the OUTSIDE can initiate a remote VPN access.
> >>>>
> >>>> So how can restrict the access to only a HOST or IP subnet from the
> >> OUTSIDE
> >>>> interface? (i.e nobody can initiate a remote VPN access unless
> >> explicitly
> >>>> permitted through an access list or any method elese).
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Best Regards,
> >>>>
> >>>>
> >>>>
> >>>> ==============================
> >>>>
> >>>> Mahmoud Nossair
> >>>>
> >>>> CCIE network Engineer.
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/
> >
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> KJ
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>>
Received on Tue Dec 14 2010 - 08:41:39 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART