Firewall Wizards mailing list archives
Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices
From: Chris Myers <clmmacunix () charter net>
Date: Sun, 18 Nov 2007 21:19:05 -0600
You will setup the ACL's you will have named for your crypto-map map <whatever> match address vpn_acl_HQ. They will have to be subnets because you are defining trusted subnets for the site-2-site. (access- list vpn_acl_HQ permit ip 10.1.1.1 255.255.255.0 10.0.0.0 255.255.255.0). Even with the intra/inter-face same security level you will still have to setup No NAT (nat (inside) 0 access-list nonat) (access-list nonat permit ip 10.1.1.1 255.255.255.0 10.0.0.0 255.255.255.0) policies for the traffic to not nat over the VPN. I am assuming you are using the 'outside' interface for the VPN peer, hence security levels will be different. The only risk involved with this is if the branch offices are using there own internet connection where you get all the virus' (all 0's route out there own router to the internet) and not using HTTP/HTTPS over the VPN to HQ, which it sounds like, because this will give carte blanche to any worm or attack that is successful in the branch office to propogate to the HQ. If you are only using the HQ for certain traffic, then define that traffic and only allow it over the VPN via ACL and not use 'ip' for the ACL. If this is not feasible, then get another PIX and use it strictly for VPN let the IP traffic traverse it for simplistic setup reasons and create a transit between the two boxes on a dmz or inside interface with specific ACL's for the traffic you want to hit the HQ. Hope this helps! On Sep 27, 2007, at 10:46 AM, robbie.jacka () regions com wrote:
Caveat: this has only been fixed in 7.2(1) and later, if memory serves. Robbie Anthony <ez4me2c3d@gmail. com> To Sent by: Firewall Wizards Security Mailing firewall-wizards- List bounces@listserv. <firewall-wizards@listserv.icsalabs icsalabs.com .com> cc "Behm, Jeffrey L." <BehmJL () bv com,09/26/2007 07:33 firewall-wizards-bounces@listserv.i PM csalabs.com, michael () wanderingbark net Subject Please respond to Re: [fw-wiz] Issue with replacing Firewall Wizards SonicWall VPN with Cisco ASA VPN Security Mailing devices List <firewall-wizards @listserv.icsalab s.com> Robbie, The ASA code 7.x has addressed VPN hairpinning with the same-security-traffic permit intra-interface command. I've done it several times with great success. And with proper ACLs and routes you can direct the traffic where ever you want. Jeff, What you are trying to do is possible on the ASAs. You're basically setting up a hub/spoke vpn model with l2l's between HQ and remote offices. Cisco.com has documents on how to set this up. References: http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807f9a89.shtml http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml General Configuration Examples http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html Anthony robbie.jacka () regions com wrote:The biggest possible issue is hairpinning the internet-bound trafficinsideof the 5520, not tunneling the traffic back from the 5505s. PIX 6.x has traditionally had a problem with this, if I recall correctly, and I'm not sure that it's been fixed in PIX 7.x/ASA code RobbieMichael Cox<michael@wanderingbark.net>ToSent by:firewall-wizards@listserv.icsalabs.firewall-wizards- combounces@listserv.ccicsalabs.com "Behm, Jeffrey L." <BehmJL () bv comSubjectRe: [fw-wiz] Issue with replacing09/26/2007 09:25 SonicWall VPN with Cisco ASA VPNAM devicesPlease respond toFirewall WizardsSecurity MailingList<firewall-wizards@listserv.icsalabs.com>For clarification, are there clients connecting to the 5505's, or is it just a site-to-site setup? In any case, what you want to do should be possible. When you define the ACL for what traffic goes down the tunnel from the branch to the hub, simply do "permit ip <LAN network address> <LAN netmask> any". Reverse this on the hub. I'm stumped as to why they think this is a security issue. Maybe TAC didn't understand what you want to do (or maybe I don't). Regards, Michael On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:Hello Wizards, Our network team is replacing the client's SonicWall devices with Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices were basically used as VPN endpoints in remote offices to be concentrated back to the corporate HQ. All traffic not destined for the local LAN in the remote offices was sent to the corporate office via the "Route all traffic through this SA" functionality in the SonicWall. This worked well for the environment, but now there is the need to replace these devices, and Cisco ASA devices have been chosen. They are now trying to duplicate that functionality via the Cisco devices, but in talking with Cisco TAC, they say such a configuration is not possible, and even if it were, it would not be a security best practice. Implementation of the Cisco device has broken all Internet connectivity from the remote offices, since the only traffic allowed out to/from the Internet is through HQ (with the exception of the site to site VPN traffic to allow connectivity between remote offices and HQ). Remote offices can see everything on the HQ LAN, because the Cisco device is configured with IP information that allows it to route traffic to HQ. I can see some of Cisco's arguments regarding it not being a security best practice, but in the scenario of centralized management and monitoring of Internet-bound traffic, has anyone successfully configured the Cisco devices to mimic the "Route all traffic through this SA" functionality present in the SonicWall devices? I understand they could open up the Cisco devices to allow traffic out from each office, but that would require monitoring every remote office, and deviates from the centralized monitoring/management path we are currently traversing. I haven't personally been involved in this implementation, but was approached by the network team due to my security background, so I can get more details from the network team if necessary. We are simply trying to mimic in the Cisco devices the "Route all traffic through this SA" functionality present in the SonicWall devices. Thoughts? Jeff _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Chris Myers (Nov 19)