Friday, September 28, 2007

firewall-wizards Digest, Vol 17, Issue 25

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (Julian M. Dragut)
2. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (robbie.jacka@regions.com)


----------------------------------------------------------------------

Message: 1
Date: Wed, 26 Sep 2007 13:24:07 -0400
From: "Julian M. Dragut" <julianmd@gmail.com>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8118617d0709261024g4a3364c2qb04aa752f548e3ea@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi Jeff,


To make sure I properly understood the quest:

You have site to site VPN's between brach offices, and branch offices
also function as VPN endpoints. Now, a mobile worker in a brach office
connects to the BO VPN endpoint and you want the traffic destined to
HQ to use the tunnel, right?


Cisco will say no, because you cannot get out through the same
interface you came in (VPN client, VPN tunnel to HQ)

On a Sonicwall, "Route all traffic through this SA" basically adds a
static route just for that SA for the VPN users, and I think you
cannot do that with PIX. Your solution is a proxy in the branch
offices, that will change the source IP of the remote VPN mobile user,
and this will let you go through the VPN tunnel to the HQ.


Julian

On 9/25/07, Behm, Jeffrey L. <BehmJL@bv.com> wrote:
>
> Hello Wizards,
>
> Our network team is replacing the client's SonicWall devices with Cisco
> ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
> were basically used as VPN endpoints in remote offices to be
> concentrated back to the corporate HQ. All traffic not destined for the
> local LAN in the remote offices was sent to the corporate office via the
> "Route all traffic through this SA" functionality in the SonicWall. This
> worked well for the environment, but now there is the need to replace
> these devices, and Cisco ASA devices have been chosen.
>
> They are now trying to duplicate that functionality via the Cisco
> devices, but in talking with Cisco TAC, they say such a configuration is
> not possible, and even if it were, it would not be a security best
> practice. Implementation of the Cisco device has broken all Internet
> connectivity from the remote offices, since the only traffic allowed out
> to/from the Internet is through HQ (with the exception of the site to
> site VPN traffic to allow connectivity between remote offices and HQ).
> Remote offices can see everything on the HQ LAN, because the Cisco
> device is configured with IP information that allows it to route traffic
> to HQ.
>
> I can see some of Cisco's arguments regarding it not being a security
> best practice, but in the scenario of centralized management and
> monitoring of Internet-bound traffic, has anyone successfully configured
> the Cisco devices to mimic the "Route all traffic through this SA"
> functionality present in the SonicWall devices? I understand they could
> open up the Cisco devices to allow traffic out from each office, but
> that would require monitoring every remote office, and deviates from the
> centralized monitoring/management path we are currently traversing. I
> haven't personally been involved in this implementation, but was
> approached by the network team due to my security background, so I can
> get more details from the network team if necessary.
>
> We are simply trying to mimic in the Cisco devices the "Route all
> traffic through this SA" functionality present in the SonicWall devices.
>
> Thoughts?
>
> Jeff
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


--
Best regards,


Julian Dragut
If you knew that you wouldn't fall, how far would you have gone?


------------------------------

Message: 2
Date: Thu, 27 Sep 2007 10:46:59 -0500
From: robbie.jacka@regions.com
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: ez4me2c3d@gmail.com
Cc: "Behm, Jeffrey L." <BehmJL@bv.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>,
michael@wanderingbark.net,
firewall-wizards-bounces@listserv.icsalabs.com
Message-ID:
<OFA7B49552.6383FBD7-ON86257363.0056A27D-86257363.0056B2F2@asocorp.ASO.AMSOUTH.COM>

Content-Type: text/plain; charset=US-ASCII

Caveat: this has only been fixed in 7.2(1) and later, if memory serves.

Robbie


Anthony
<ez4me2c3d@gmail.
com> To
Sent by: Firewall Wizards Security Mailing
firewall-wizards- List
bounces@listserv. <firewall-wizards@listserv.icsalabs
icsalabs.com .com>
cc
"Behm, Jeffrey L." <BehmJL@bv.com>,
09/26/2007 07:33 firewall-wizards-bounces@listserv.i
PM csalabs.com,
michael@wanderingbark.net
Subject
Please respond to Re: [fw-wiz] Issue with replacing
Firewall Wizards SonicWall VPN with Cisco ASA VPN
Security Mailing devices
List
<firewall-wizards
@listserv.icsalab
s.com>


Robbie,
The ASA code 7.x has addressed VPN hairpinning with the
same-security-traffic permit intra-interface command.
I've done it several times with great success. And with proper ACLs and
routes you can direct the traffic where ever you want.

Jeff,
What you are trying to do is possible on the ASAs. You're basically
setting up a hub/spoke vpn model with l2l's between HQ and remote
offices. Cisco.com has documents on how to set this up.

References:
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807f9a89.shtml

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

General Configuration Examples
http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html


Anthony


robbie.jacka@regions.com wrote:
> The biggest possible issue is hairpinning the internet-bound traffic
inside
> of the 5520, not tunneling the traffic back from the 5505s. PIX 6.x has
> traditionally had a problem with this, if I recall correctly, and I'm not
> sure that it's been fixed in PIX 7.x/ASA code
>
> Robbie
>
>
>
>

> Michael Cox

> <michael@wanderin

> gbark.net>
To
> Sent by:
firewall-wizards@listserv.icsalabs.
> firewall-wizards- com

> bounces@listserv.
cc
> icsalabs.com "Behm, Jeffrey L." <BehmJL@bv.com>

>
Subject
> Re: [fw-wiz] Issue with replacing

> 09/26/2007 09:25 SonicWall VPN with Cisco ASA VPN

> AM devices

>

>

> Please respond to

> Firewall Wizards

> Security Mailing

> List

> <firewall-wizards

> @listserv.icsalab

> s.com>

>

>

>
>
>
>
> For clarification, are there clients connecting to the 5505's, or is it
> just a site-to-site setup?
>
> In any case, what you want to do should be possible. When you define the
> ACL for what traffic goes down the tunnel from the branch to the hub,
> simply do "permit ip <LAN network address> <LAN netmask> any". Reverse
> this on the hub.
>
> I'm stumped as to why they think this is a security issue.
>
> Maybe TAC didn't understand what you want to do (or maybe I don't).
>
> Regards,
> Michael
>
> On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:
>
>> Hello Wizards,
>>
>> Our network team is replacing the client's SonicWall devices with
>> Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
>> devices were basically used as VPN endpoints in remote offices to be
>> concentrated back to the corporate HQ. All traffic not destined for
>> the local LAN in the remote offices was sent to the corporate office
>> via the "Route all traffic through this SA" functionality in the
>> SonicWall. This worked well for the environment, but now there is the
>> need to replace these devices, and Cisco ASA devices have been
>> chosen.
>>
>> They are now trying to duplicate that functionality via the Cisco
>> devices, but in talking with Cisco TAC, they say such a configuration
>> is not possible, and even if it were, it would not be a security best
>> practice. Implementation of the Cisco device has broken all Internet
>> connectivity from the remote offices, since the only traffic allowed
>> out to/from the Internet is through HQ (with the exception of the
>> site to site VPN traffic to allow connectivity between remote offices
>> and HQ). Remote offices can see everything on the HQ LAN, because the
>> Cisco device is configured with IP information that allows it to
>> route traffic to HQ.
>>
>> I can see some of Cisco's arguments regarding it not being a security
>> best practice, but in the scenario of centralized management and
>> monitoring of Internet-bound traffic, has anyone successfully
>> configured the Cisco devices to mimic the "Route all traffic through
>> this SA" functionality present in the SonicWall devices? I understand
>> they could open up the Cisco devices to allow traffic out from each
>> office, but that would require monitoring every remote office, and
>> deviates from the centralized monitoring/management path we are
>> currently traversing. I haven't personally been involved in this
>> implementation, but was approached by the network team due to my
>> security background, so I can get more details from the network team
>> if necessary.
>>
>> We are simply trying to mimic in the Cisco devices the "Route all
>> traffic through this SA" functionality present in the SonicWall
>> devices.
>>
>> Thoughts?
>>
>> Jeff
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 25
************************************************

No comments:

Post a Comment