Need some guidance on IPsec firewall rules

saxmad

Hi,

After several days of trail and error, I have now got an IPsec tunnel up, connecting to a Cisco firewall at a supplier.  There are some issues if the Cisco end brings up the tunnel, but if I initiate the link, it seems rock solid.

My query is on the adding of the necessary firewall rules to lock down the traffic allowed onto my network from the VPN tunnel.

Currently, I have a couple of rules on my WAN interface that let through UDP/500 and UDP/4500 packets so that the remote end can initiate the link if necessary.

IPv4 UDP 	* 	* 	WAN address 	4500 (IPsec NAT-T) 	* 	none               IPsec VPN  
IPv4 UDP 	* 	* 	WAN address 	500 (ISAKMP) 	        * 	none               IPsec VPN

I also have a completely open rule on the IPsec tab to allow all traffic over the IPsec link.

IPv4 * 	* 	* 	* 	* 	* 	none 	  	Supplier IPsec vpn  

What I would really like to do is lock down the traffic that can get onto my local network from the supplier network over the IPsec link.  I can't work out whether the rule should go on the LAN tab (I think this is favourite based on my readings of previous posts), or on the WAN tab, or whether I should amend the rule on the IPsec tab to be more closely controlled.

My network: 192.168.111.0/24
Supplier network:  172.16.5.0/24

I only want the supplier network to be able to talk with a single host on my local network, 192.168.111.4.

I'm thinking I need something like the following rule, but I don't know exactly where to put it, assuming it is correct in what I am trying to achieve.

(Rule is set up as BLOCK)
x   IPv4 * 	172.16.5.0/24 	* 	! 192.168.111.4 	* 	* 	none 	  	Only allow remote network to access single local host 

I read this rule as follows :-

Block any packet from the supplier network (by definition over the IPsec VPN) that isn't destined for the desired single host on my network.

Is this rule correct ?

Which firewall rules tab should I put it on ?  LAN ? WAN ? IPsec ?

Thanks.

jason0

Hello,

The first thing to remember is that the firewall is a default "block all", therefore you only need to allow access from their hosts to your one.

(Rule is set up as BLOCK)
x  IPv4 * 172.16.5.0/24 * ! 192.168.111.4 * * none   Only allow remote network to access single local host
…
Block any packet from the supplier network (by definition over the IPsec VPN) that isn't destined for the desired single host on my network

Second is to remember that rules apply on INBOUND connections, thus you want a rule like this on your IPSEC interface.

Thus, the psuedo-code would read:

"allow all traffic from 172.16.5.0/24 to 192.168.111.4"

–jason