PIX515e, Problem with VPN and Access Lists 1

[LedZepRock]

Hi All

Problem is this, even though my Access List for my VPN says this...

access-list nonatinside permit ip 192.168.101.0 255.255.255.0 192.168.103.0 255.255.255.0

I was supprised (to say the least) that traffic was allowed in both directions. This is a VPN link to our hosting centre and really I want all traffic from 192.168.101.0/24 to be allowed to 192.168.103.0/24 and only SMTP and DNS back. Now why is traffic allowed in both directions even though the access-list only allowed 1 direction, I guess its cuz its the NoNAT rule, but I dont have any other rules, so I am a tad confused by this.
Anyway, to cut a long story short, how to I control traffic that travels via a VPN???

Hope thats enough info, let me know if you wana see more of the config.

Ta
Simon

 

[LedZepRock]

Hi

Sorry to bounce this, but this is driving me bonkers. I will paste most of the config below, but to make it more clear the problem is this. VPN from our LAN to our Hosting Centre, I want to allow access 1 way only... I can control what traffic goes from LAN (192.168.101.0/24) to Hosting Centre (192.168.3.0/24), but traffic back (that I want to block (apart from DNS and SMTP but thats another question)) is all allowed through, as you can see from the configue I have tried to bloke it everywhere, but what the hells allowing this traffic back, cuz I am buggered if I can see a rule saying allow all traffic from 192.168.3.0/24 to 192.168.101.0/24. Any help on this would be really great.

Heres the config

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ********* encrypted
passwd ********* encrypted
hostname pix
domain-name *******.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.101.101 dns_server
name 193.130.***.***

http://www.********.com

name 192.168.1.0 psisec
name 192.168.2.0 psidmz
name 192.168.3.0 psifail
name 192.168.101.14 susessh
object-group service service_allowed tcp
port-object eq ftp
port-object eq ssh
port-object eq smtp
port-object eq 3389
port-object eq pop3
port-object eq ftp-data
port-object eq daytime
port-object eq 1863
port-object eq 8080
port-object eq 5050
port-object eq pptp
port-object eq 1489
port-object eq 4444
port-object eq 8102
port-object eq www
port-object eq https
port-object eq whois
object-group service service_allowed_tcp_udp tcp-udp
port-object eq 13
port-object eq 123
port-object eq 137
port-object eq domain
port-object eq 3544
object-group service dmz_allowed_tcp_udp tcp-udp
port-object eq domain
object-group service dmz_allowed tcp
port-object eq smtp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
port-object eq www
port-object eq https
object-group network lan_subnet
network-object 192.168.101.0 255.255.255.0
object-group network dmz_subnet
network-object 192.168.103.0 255.255.255.0
object-group icmp-type icmp
icmp-object echo-reply
icmp-object echo
icmp-object unreachable
object-group network web_servers
network-object host 192.168.103.254
object-group service http_https tcp
port-object eq www
port-object eq https
object-group network psifail_subnet
network-object psifail 255.255.255.0
object-group service dmz_2_lan tcp
port-object eq ssh
port-object eq domain
object-group service vpn_in_exchange tcp
port-object eq 1489
port-object eq pptp
port-object eq www
port-object eq https
object-group service DNS tcp-udp
port-object eq domain
object-group icmp-type icmp_allowed_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group icmp-type icmp_allowed_inside
icmp-object echo
access-list nonatinside permit ip object-group lan_subnet object-group dmz_subnet
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psidmz 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psisec 255.255.255.0
access-list nonatinside deny ip psifail 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psifail 255.255.255.0
access-list dmz_in permit udp object-group dmz_subnet object-group lan_subnet object-group service_allowed_tcp_udp
access-list dmz_in permit tcp object-group dmz_subnet object-group lan_subnet object-group dmz_2_lan
access-list dmz_in permit tcp object-group dmz_subnet any object-group service_allowed
access-list dmz_in deny ip any any
access-list inside_in deny ip object-group psifail_subnet object-group lan_subnet
access-list inside_in permit ip host dns_server any
access-list inside_in permit tcp object-group lan_subnet any object-group service_allowed
access-list inside_in permit udp object-group lan_subnet any object-group service_allowed_tcp_udp
access-list inside_in permit ip object-group lan_subnet object-group dmz_subnet
access-list inside_in permit gre host dns_server any
access-list inside_in permit icmp any any object-group icmp_allowed_inside
access-list inside_in deny ip any any
access-list outside_in deny ip object-group psifail_subnet object-group lan_subnet
access-list outside_in permit tcp any host

http://www.******.com

eq www
access-list outside_in permit tcp any host 193.130.***.*** object-group vpn_in_exchange
access-list outside_in permit gre any host 193.130.***.***
access-list outside_in permit tcp any host 193.130.***.*** eq smtp
access-list outside_in permit icmp any any object-group icmp_allowed_outside
access-list outside_in deny ip any any
access-list nonatdmz permit ip object-group dmz_subnet object-group lan_subnet
pager lines 65
logging on
logging trap warnings
logging host inside 192.168.101.250
no logging message 106011
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 193.130.***.*** 255.255.255.192
ip address inside 192.168.101.1 255.255.255.0
ip address dmz 192.168.103.1 255.255.255.0
ip audit name myaudit info action alarm
ip audit name attackaudit attack action drop
ip audit interface outside myaudit
ip audit interface outside attackaudit
ip audit interface inside attackaudit
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6053 disable
pdm history enable
arp timeout 14400
global (outside) 1 193.130.63.77
nat (inside) 0 access-list nonatinside
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 1 192.168.103.0 255.255.255.0 0 0
static (inside,outside) 193.130.63.103 192.168.101.103 netmask 255.255.255.255 100 50
static (inside,dmz) susessh susessh netmask 255.255.255.255 100 50
static (inside,outside) 193.130.63.101 dns_server netmask 255.255.255.255 100 50
static (inside,dmz) dns_server dns_server netmask 255.255.255.255 100 50
static (dmz,outside)

http://www.******.com

192.168.103.254 netmask 255.255.255.255 100 50
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 193.130.63.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 212.42.1.207 source outside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address nonatinside
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer ***.***.***.***
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username simon password ************* encrypted privilege 15
terminal width 150
Cryptochecksum:697790eba0b36b613699ad31254b1f2c
: end

 

[chicocouk]

Your problem is this line

sysopt connection permit-ipsec

That command basically tells the pix that any ipsec traffic (vpn traffic) bypasses the ACLs. Remove that line and any traffic that gets decrypted will then be checked against your ACLs before being allowed through.

 

[LedZepRock]

Hope you are looking for a new buddie, cuz you are now by bestest buddy, have your star and where is with pride....

Thanks for your great help.

Simon

 

[chicocouk]

That made me laugh - hope all goes well now, all the best