Split tunnel ACL port blocking 2

[sorehead]

Hi All,

Not sure this is possible.....

Pix 515E with 6.2(1). VPN Client 3.6.3.

The 'powers that be' want to have internet access while they are VPN'd into the LAN. I am aware of the security implications that this brings, of the price of the VPN concentrator that would do the job, of the overhead on our net connection if I were to have a proxy in place and of the general method of implementing split-tunnels.

However, as this functionality i still required, I am stuck rather between a rock and a hard place. I then thought that if i could limit the open ports on the split-tunnel ACL, I could only allow access to certain features on our network like Outlook, filestore browsing and so on (nothing too fancy is required). This would mean that I could at least tip a nod towards network security and not leave all the umpteen thousand ports open on the firewall for script-kiddies to nose around in.

Now, with the Split-tunnel ACL's, the source and destination addresses are back to front, and everytime I try and lock down some ports (even with a permit ip any any statement at the bottom) I cannot get the internet anymore.

EG, with:

access-list acl_test permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

All is fine

As soon as you specify a port on the end, no dice. I suspect this isn't going to work as the SA/DA are the other way around, but would like to know for sure.

If this is the case, any ideas of a frig? I would like to offer split-tunnel, but only have certain features available - say ports 80, 21, 23, and 443, with everything else barred at the f/w.

Any ideas gratefully listened to.

Thanks a lot.

Jim..

 

[chicocouk]

I've only skim read this, but I think you're approaching this from slightly the wrong angle. You don't need to specify ports etc in the split tunnel, what you need to do is check that traffic that comes OUT of the vpn gets processed by ACLS and then create an ACL that only allows ports in from the range you use for your vpns, apply it to the outside interface in, and you're away.

The first thing to check is do you have the following command in your pix config -

sysopt connection permit-ipsec

If so, everything that comes out of your IpSec tunnel bypasses the standard ACLs on the pix. Remove that line, configure an appropriate acl, and bind that acl to the outside interface in.

Although I would totally agree with your implication that you don't really want to do this for security reasons, and I would keep insisting to your bosses that it's a bad idea. I do understand the pressure to do what they want though

all the best

Chico

 

[chicocouk]

In other words, assuming your dial in clients get assigned an ip in the range 192.168.5.0/24, and your main local network behind the pix is on 192.168.3.0/24, something like the following should work

no sysopt connection permit-ipsec

access-list allowVpnTrafficIn permit tcp 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0 eq 80
access-list allowVpnTrafficIn permit tcp 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0 eq 21
access-list allowVpnTrafficIn permit tcp 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0 eq 23
access-list allowVpnTrafficIn permit tcp 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0 eq 443

access-group allowVpnTrafficIn in interface outside

Cheers

 

[sorehead]

Hey Chico, thanks for the reply. I'll be having a look at this today and everything you say makes sense - it's so easy when someone else points it out... I'll report back etc when I've tried it..

Thanks.

 

[sorehead]

This looks to be just the trick, problem solved. Thanks a lot.

 

[chicocouk]

No problem, glad you've got it sorted



CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP