So I know this isn’t my usual R&S blog post… but I continue to see just terribly stupid approaches to filtering traffic across Lan-2-Lan tunnels between ASAs. So this is my small contribution to end the stupidity. Before we get started, lets draw up a super basic diagram to work from and then I’ll decribe the problem, probably rant on the dumb solutions I’ve seen to the problem for a paragraph, before finally showing how I solve said problem.
Ok cool, we have a pretty picture to talk about now. So here’s the problem we’re trying to solve, we’re CORP and we have this VPN built to a partner company so their users can access services on 172.16.1.100. No big deal right? We build our L2L VPN just like always, maybe use some stronger than normal encryption and hell we even configure PFS. Then concerns form about what all this partner company has access to, because really all they should be able to do is ping, access a web page via https, and maybe we also allow them to SSH to this box (sftp or something). Well, default behavior of a L2L tunnel doesn’t make filtering super easy. Here’s where people get stupid. So before covering the best solution, let’s just make a list called “Shit you shouldn’t do”
1. Don’t disable sysopt connection permit-vpn. This command is on by default, and if you turn it off, the firewall stops trusting ingress VPN traffic. While it would get the job done, and now you have to permit traffic via your outside interface, never use a cannon to kill a fly. Turning off ‘permit-vpn’ impacts all VPN traffic, so if you have multiple L2L VPN, any remote access VPN (anyconnect and legacy) you now have to allow traffic on your outside interface to accommodate these connections. It’s a dumb solution, stop using it.
2. Don’t limit interesting traffic to filter the connection. This means on your crypto ACL you get hyper specific with allowed hosts, subnets, and protocols/ports. Yes… I’ve seen people specify port numbers in their crypto ACLs, it causes magically unpredictable behavior. While limiting allowed hosts/subnets isn’t a bad practice, if you start getting crypto ACLs that are 10, 15… 20 lines you have a problem. Remember each line your crypto ACL (think crypto map VPN 10 match address crypto_acl) is a separate IPsec security association both firewalls have to track and negotiate. Again, stop doing this.
Now that we covered that, lets go over what I consider to be “The Most Correct Way… ever.” So again, we’ll use tcp 22/443 and icmp as examples of our allowed traffic. The CORP firewall should drop all other traffic coming over this tunnel, and we’ll even have an explicit deny statement just to track hits that get dropped.
Before Filtering:
access-list IPsec extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!
crypto ipsec transform-set ESP-AES esp-aes esp-sha-hmac
crypto map VPNMAP 10 match address IPsec
crypto map VPNMAP 10 set peer 200.1.1.100
crypto map VPNMAP 10 set transform-set ESP-AES
crypto map VPNMAP interface OUTSIDE
!
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 200.1.1.100 type ipsec-l2l
tunnel-group 200.1.1.100 ipsec-attributes
pre-shared-key cisco123
Ok, so I’m actually saying “Anything on my corporate LAN is considered interesting.” That’s fine, maybe there’s future growth or something. Now let’s filter the tunnel so 10.1.1.0/24 can only talk to 172.16.1.100 on tcp/22&443, and icmp.
After
access-list PARTNERL2L-Filter extended permit tcp 10.1.1.0 255.255.255.0 host 172.16.1.100 eq ssh
access-list PARTNERL2L-Filter extended permit tcp 10.1.1.0 255.255.255.0 host 172.16.1.100 eq https
access-list PARTNERL2L-Filter extended permit icmp 10.1.1.0 255.255.255.0 host 172.16.1.100
access-list PARTNERL2L-Filter extended deny ip 10.1.1.0 255.255.255.0 any
!
group-policy PARTNER_L2L_VPN internal
group-policy PARTNER_L2L_VPN attributes
vpn-filter value PARTNERL2L-Filter
!
tunnel-group 200.1.1.100 general-attributes
default-group-policy PARTNER_L2L_VPN
That’s all you have to do! *SPECIAL NOTE* If the L2L VPN is up and active when you make this change, you’ll need to clear IPsec SA for that peer. So in my case that’s:
clear ipsec sa peer 200.1.1.100
When the tunnel re-establishes, boom your filter is in place. I’ll do the actual demo in my video, but here’s the hit counter on my filter ACL.
CORP-FW# sh access-l PARTNERL2L-Filter
access-list PARTNERL2L-Filter; 3 elements
access-list PARTNERL2L-Filter line 1 extended permit tcp 10.1.1.0 255.255.255.0 host 172.16.1.100 eq ssh (hitcnt=5)
access-list PARTNERL2L-Filter line 2 extended permit tcp 10.1.1.0 255.255.255.0 host 172.16.1.100 eq https (hitcnt=0)
access-list PARTNERL2L-Filter line 3 extended permit icmp 10.1.1.0 255.255.255.0 host 172.16.1.100 (hitcnt=1)
access-list PARTNERL2L-Filter line 4 extended deny ip 10.1.1.0 255.255.255.0 any (hitcnt=10)
So that’s it everyone, stop doing dumb shit. Video coming later tonight… maybe tomorrow.