Access list help



  • I set up a site to site VPN from my office to data center. Right now my entire network office network can access the colo via the tunnel. I want to only permit certain users to access the datacenter via  the tunnel. I’ve tried grouping these user’s IPs and setting them as the source address on the tunnel policy but any IP address in the office is allowed to access the datacenter. On the office firewall can I just set an access list to explicitly permit certain users’ IPs to the datacenter? Will the permit access list, implicitly deny all IP addresses not included in the access list? Please give me CLi examples. The one I’m thinking I should use is:

    set access-list src-ip 192.168.0.121 255.255.255.255 dst-ip 192.168.10.0 255.255.255.0 src-port 1-65535 dst-port 1-65535 any

    Thanks for any help



  • Cool so there was wide open Policy on your remote firewall that was causing the issue…
    Your actual policy must have been above the wide open policy…so all not aalowed traffic must be going via the wide open policy…and this policy must be acting like a catch all rule and allowing unwanted traffic via the tunnel…



  • I figured it out. There was a policy on in the remote firewall that was for untrust any to trust LAN. I’m happy I noticed this because this is a terrible mistake having such a wide open policy as this. Basically, the site 2 site policy logs would show the connections made by the users in the access group. The other policy (any to lan) would accept all other connections that were dumped on the default route for the site 2 site routes that are needed to establish the tunnel. Sorry if thats confusing.



  • Post your configs as well…



  • the below should not be happening. If my source addresses are a range from 192.168.0.191 - 192.168.0.202 then 192.168.0.85 shouldn’t have access to the tunnel.

    ****** 9938967.0: <trust bgroup0="">packet received [40]******
      ipid = 27426(6b22), @034b0850
      packet passed sanity check.
      bgroup0:192.168.0.85/50974->192.168.10.18/22,6
      existing session found. sess token 3
      flow got session.
      flow session id 3079
      post addr xlation: 192.168.0.85->192.168.10.18.
      going into tunnel 40000005.
      flow_encrypt: pipeline.
    chip info: PIO. Tunnel id 00000005
    (vn2)  doing ESP encryption and size =48
    ESP-tunnel packet, set dscp to 0(tos 0)
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    ipsec encrypt engine released
    ipsec encrypt done
    put packet(37ebeb4) into flush queue.
    remove packet(37ebeb4) out from flush queue.

    This is from the remote firewall
    ****** 23342566.0: <trust 0="" ethernet0="">packet received [92]******
      ipid = 31334(7a66), @1d50c114
      packet passed sanity check.
      ethernet0/0:192.168.10.18/22->192.168.0.85/50974,6 <root>existing session found. sess token 3
      flow got session.
      flow session id 46558
      tcp seq check.
      post addr xlation: 192.168.10.18->192.168.0.85.
      going into tunnel 40000001.
      flow_encrypt: pipeline.
    chip info: DMA. Tunnel id 00000001
    (vn2)  doing ESP encryption and size =96
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    ipsec encrypt engine released
    ipsec encrypt done
    put packet(44e7b14) into flush queue.
    remove packet(44e7b14) out from flush queue.</root></trust></trust>



  • I would then setup flow filters and run basic flow debugging.  That is useful for seeing what policy is being hit and why.



  • Thats exactly what I’ve already done. On the trust interface on the office firewall has a policy that has the source IP addresses restricted to a group of user’s static IP addresses and I restricted it to the use of HTTP, HTTPS, SSH and MySQL yet it still allows anyone to go across the tunnel via the afore mentioned protocols. It doesn’t make any sense.



  • Configure route based VPN, configure tunnel interfaces on the External Zone / Untrust Zone. Then restrict your internal private network by policies from External / Untrust Zone to Internal / Trust Zone.


 

31
Online

38.4k
Users

12.7k
Topics

44.5k
Posts