Re: ASA Easy VPN access problem from karim jamali on 2010-12-14 (Ccielab archives 12/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Tue, 14 Dec 2010 10:25:51 +0300

Hello Tyson,

Thanks for sharing your knowledge.

Best Regards,

On Tue, Dec 14, 2010 at 2:01 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Based on your first requirements of only registered IP's then you only need
> to allow ESP (IP protocol 50) and UDP 500. Applying this control to an ACL
> is correct BUT you have to use a control-plane ACL. Filtering using the
> ACL
> applied to the outside interface doesn't block traffic directed to the ASA
> for VPN termination.
>
> So the following would be a configuration example
>
> object-group network ALLOWED_CLIENTS
> network-object [host] <allowed source>
> !
> access-list CONTROL_VPN_ENDPOINTS permit esp object-group ALLOWED_CLIENTS
> host <ASA_Address>
> access-list CONTROL_VPN_ENDPOINTS deny esp any any
> access-list CONTROL_VPN_ENDPOINTS permit udp object-group ALLOWED_CLIENTS
> host <ASA_Address> eq 500
> access-list CONTROL_VPN_ENDPOINTS deny udp any any eq 500
>
> !
> access-group CONTROL_VPN_ENDPOINTS in interface outside control-plane
>
> This is a lot of overhead but is not unrealistic of your manager to
> request.
> This does help to prevent a DDOS against the ASA to quench resources, so
> depending on the sensitivity of the organization this may make sense
> (Although I will say I am glad I am not the administrator of this policy).
> So it is a little rash to say he needs to teach his Manager something when,
> again dependent on the sensitivity of the organization, his manager does
> have some merit in his requirement.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Monday, December 13, 2010 12:34 PM
> To: Ryan West
> Cc: karim jamali; Mahmoud Nossair; Cisco certification
> Subject: Re: ASA Easy VPN access problem
>
> This is just not a good solution. I agree with Ryan - educate your manager!
> :-)
>
> Isnt that the job of an engineer anyway? ;-)
>
> On Mon, Dec 13, 2010 at 2:38 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > Those are the correct ports, but anyone behind a nat device will fail.
> > You'll want to open UDP/4500 and TCP/10000 for future users and
> > troubleshooting. I would look at possible sysopt commands to force ACL
> > review, but if u enable at dynamic map the firewall starts listening for
> IKE
> > connections from anywhere. Another option is individual tunnel-groups
> for
> > each static IP.
> >
> > Probably the best option is to educate your manager.
> >
> > Sent from handheld
> >
> > On Dec 13, 2010, at 3:49 AM, karim jamali <karim.jamali_at_gmail.com>
> wrote:
> >
> > > Dear Mahmoud,
> > >
> > > IPSec is a suite of protocols and not a single port. I believe deny
> > ISAKMP
> > > (UDP Port 500) you can as well deny ESP (IP Protocol 50) or AH (IP
> > Protocol
> > > 51) depending on which one you use. If you deny ISAKMP alone I guess it
> > > should do the job.
> > >
> > > Best Regards,
> > > On Mon, Dec 13, 2010 at 11:35 AM, Mahmoud Nossair <
> > mahmoud.nossair_at_gmail.com
> > >> wrote:
> > >
> > >> The ISAKMP port that will allowed on the firewall is UDP 500, am I
> > >> right??? But what is the IPsec port .
> > >>
> > >>
> > >>
> > >> * *
> > >>
> > >> *Best Regards, *
> > >>
> > >> * *
> > >>
> > >> ==============================
> > >>
> > >> *Mahmoud Nossair***
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> *From:* Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> > >> *Sent:* Monday, December 13, 2010 11:23 AM
> > >> *To:* Mahmoud Nossair
> > >> *Cc:* karim jamali; Cisco certification
> > >>
> > >> *Subject:* Re: ASA Easy VPN access problem
> > >>
> > >>
> > >>
> > >> A DDOS attack will happen in any event, whether you have an ACL or
> not.
> > The
> > >> 'DOS" attack will target your outside IP address on the ASA and the
> ASA
> > > will
> > >> still have to process those packets ie drop them according to the ACL.
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> CCIE # 23962 (SP)
> > >>
> > >> On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <
> > >> mahmoud.nossair_at_gmail.com> wrote:
> > >>
> > >> This is my manager policy that nobody can access our site unless he
> have
> > a
> > >> registered/static IP address , I think he afraid of DOS attack.
> > >>
> > >>
> > >> Best Regards,
> > >>
> > >> ==============================
> > >> Mahmoud Nossair
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> > >>
> > >> Sent: Monday, December 13, 2010 11:09 AM
> > >> To: karim jamali
> > >> Cc: Mahmoud Nossair; Cisco certification
> > >> Subject: Re: ASA Easy VPN access problem
> > >>
> > >> I am just trying to understand why you want to do that ?
> > >>
> > >> Surely some of the remote users are going to have dynamic ip address's
> > from
> > >> time to time.
> > >>
> > >> CCIE # 23962 (SP)
> > >>
> > >> Sent from my iPhone 4
> > >>
> > >> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com>
> > wrote:
> > >>
> > >>> Dear Mahmoud,
> > >>>
> > >>> Hope you are doing fine. I am sure there is a better way of
> > implementing
> > >> it
> > >>> but a simple approach would be to put an ACL on the outside interface
> > in
> > >> the
> > >>> incoming direction that will only allow ISAKMP/IPSec from certain
> peers
> > >>> (public ip addresses) and all other ISAKMP/IPSec traffic will be
> > dropped.
> > >>> Remember to allow any incoming traffic in the ACL if needed otherwise
> > you
> > >>> will fall to the "implicit deny".
> > >>>
> > >>> I am not sure if this is the best method, but I believe this should
> > work.
> > >>>
> > >>> Best Regards,
> > >>>
> > >>> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
> > >> <mahmoud.nossair_at_gmail.com
> > >>>> wrote:
> > >>>
> > >>>> Thanks for replying me..
> > >>>>
> > >>>>
> > >>>>
> > >>>> My point is how can I allow only a certain IPs or Subnet (Public
> IPs)
> > to
> > >> be
> > >>>> accepted as a remote VPN users?
> > >>>>
> > >>>>
> > >>>>
> > >>>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
> > >> address
> > >>>> "2.2.2.2", both you and I initiating a Remote VPN access, but the
> ASA
> > >>>> firewall will grant you access while dropping me.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> Best Regards,
> > >>>>
> > >>>>
> > >>>>
> > >>>> ==============================
> > >>>>
> > >>>> Mahmoud Nossair
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> > >>>> Sent: Monday, December 13, 2010 9:52 AM
> > >>>> To: Mahmoud Nossair
> > >>>> Cc: ccielab_at_groupstudy.com
> > >>>> Subject: Re: ASA Easy VPN access problem
> > >>>>
> > >>>>
> > >>>>
> > >>>> I dont see the point. Only users who succesfully authenticate can
> gain
> > >>>> access via the VPN. What Auth method are you using, radius, tacacs+,
> > >> Local
> > >>>> etc
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> CCIE # 23962 (SP)
> > >>>>
> > >>>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
> > >>>> mahmoud.nossair_at_gmail.com>
> > >>>> wrote:
> > >>>>
> > >>>> Dear Experts
> > >>>>
> > >>>>
> > >>>>
> > >>>> I had configured an Easy VPN access to the Cisco ASA 5520, but the
> > >> problem
> > >>>> is anybody from the OUTSIDE can initiate a remote VPN access.
> > >>>>
> > >>>> So how can restrict the access to only a HOST or IP subnet from the
> > >> OUTSIDE
> > >>>> interface? (i.e nobody can initiate a remote VPN access unless
> > >> explicitly
> > >>>> permitted through an access list or any method elese).
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> Best Regards,
> > >>>>
> > >>>>
> > >>>>
> > >>>> ==============================
> > >>>>
> > >>>> Mahmoud Nossair
> > >>>>
> > >>>> CCIE network Engineer.
> > >>>>
> > >>>>
> > >>>> Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/
> > >
> > >>>>
> > >>>>
> > _______________________________________________________________________
> > >>>> Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>
> > >>>>
> > >>>> Blogs and organic groups at http://www.ccie.net
> > >>>>
> > >>>>
> > _______________________________________________________________________
> > >>>> Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>> KJ
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > KJ
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Tue Dec 14 2010 - 10:25:51 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART