No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Accessing different resources depending on the user connected via L2TP

Publication Date:  2015-12-08 Views:  118 Downloads:  0
Issue Description

Customer was asking how it is possible that depending on the user connected to the VPN (L2TP or L2TP over IPSec) to access different resources in the network or depending on the case to deny different resources. To achieve customer's requirement I used the topology as below and for test purposes I used two users:

- For the user cse1, the goal is to deny using ICMP in TRUST zone but permit any other traffic.

- For the user cse2, the goal is to deny using TELNET in TRUST zone but permit any other traffic.


PC(13.1.1.2)-------------(13.1.1.1)Switch(12.1.1.2)---------- (12.1.1.1)USG


L2TP configuration:


#                                                                                                                                  

interface Virtual-Template2                                                                                                        

 ppp authentication-mode chap pap                                                                                                  

 ip address 192.168.96.2 255.255.224.0                                                                                             

 remote address pool 2                                                                                                              

 undo service-manage enable                                                                                                        

#                                                                                                                                                                              

l2tp-group 1                                                                                                                       

 undo tunnel authentication                                                                                                        

 allow l2tp virtual-template 2                                                                                                     

#                                                                                                                                       

interface GigabitEthernet1/0/5                                                                                                     

 ip address 12.1.1.1 255.255.255.0                                                                                                  

 undo service-manage enable                                                                                                        

#   

aaa   

domain italy                                                                                                                       

  dns primary-ip  10.125.30.25                                                                                                      

  service-type access internet-access                                                                                              

  ip pool 2 192.168.96.5 192.168.96.15                                                                                              

  reference user current-domain                                                                                                    

  new-user deny-authentication                                                                                                      

 #      

 



Solution

I used below configuration in security-policy view for achieving customer's needs:


Note: 192.168.64.5 is a switch from TRUST zone.

 

rule name cse_policy1                                                                                                              

  source-zone untrust                                                                                                              

  destination-zone trust                                                                                                            

  service telnet                                                                                                                   

  user cse2@italy                                                                                                                   

  action deny                                                //deny access to user cse2@italy for accessing anything in the TRUST zone using telnet.

 rule name cse_policy                                                                                                               

  policy logging                                                                                                                   

  source-zone untrust                                                                                                               

  destination-zone trust                                                                                                           

  service icmp                                                                                                                      

  user cse1@italy                                           //deny access to user cse1@italy for accessing anything in the TRUST zone using icmp.

  action deny                                                                                                                       

 rule name italy_inbound                                                                                                           

  source-zone untrust                                                                                                               

  destination-zone trust                                                                                                           

  source-address 192.168.96.0 mask 255.255.224.0                                                                                   

  destination-address 192.168.64.0 mask 255.255.224.0                                                                              

  action permit                                                                                                                    

 rule name italy_outbound                                                                                                          

  source-zone trust                                                                                                                

  destination-zone untrust                                                                                                          

  source-address 192.168.64.0 mask 255.255.224.0                                                                                   

  destination-address 192.168.96.0 mask 255.255.224.0                                                                               

  action permit                                                                                                                    

 rule name untrust_local                                                                                                            

  source-zone untrust                                                                                                              

  destination-zone local                                                                                                            

  action permit                                                                                                                    

 rule name local_untrust                                                                                                            

  source-zone local                                                                                                                

  destination-zone untrust                                                                                                          

  action permit                                     

 

 

#                                                                                                                                  

auth-policy                                                                                                                         

 rule name test                                                                                                                    

  source-zone untrust                                                                                                               

  destination-zone trust                                                                                                           

  action auth                                                                                                                       

#  

 

 Test results:


user: cse1@italy

 

C:\Users\user\Desktop>ping 192.168.64.5                         //ping is not working. Security   policy “cse_policy” is matched.                                                      

                                                                                                                                    

Pinging 192.168.64.5 with 32 bytes of data:                                                                                        

Request timed out.                                                                                                                  

Request timed out.                                                                                                                 

Request timed out.                                                                                                                  

Request timed out.                                                                                                                 

                                                                                                                                    

Ping statistics for 192.168.64.5:                                                                                                  

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),             

                                                            

-------------------------------------------------------------------------------                                                    

HRP_A<R5_U13_USG6650>display security-policy all                                                                                   

23:30:07  2015/10/30                                                                                                                

Total:17                                                                                                                           

RULE ID RULE NAME                      STATE      ACTION             HITTED                                                         

-------------------------------------------------------------------------------                                                    

0       default                        enable     deny               510                                                            

1       21.166.167                     disable    permit             0                                                             

2       Windows Update Disable         disable    deny               0                                                              

21      cse_policy1                    enable     deny               0                                                             

18      cse_policy                     enable     deny               6                                                              

13      italy_inbound                  enable     permit             1                                                             

14      italy_outbound                 enable     permit             0                                                              

15      untrust_local                  enable     permit             3                                                             

16      local_untrust                  enable     permit             0                                                             

3       no play game                   disable    deny               0                                                             

4       no p2p file                    disable    deny               0                                                             

5       no video and music             disable    deny               0                                                             

6       file update                    disable    permit             0                                                             

7       18.4.2015                      disable    permit             0                                                             

8       Windows Update not Disable     enable     -                  0                                                             

11      255                            enable     permit             0                                                             

17      ipsec_italy                    enable     permit             0                                                             

-------------------------------------------------------------------------------                                                                                                                                                           

C:\Users\user\Desktop>                                                                                                  

 

Reset the counters and making another test for telnet

 

C:\Users\user\Desktop>telnet 192.168.64.5                //telnet command was working. Security policy “cse_policy” no longer matched.

                                                                                                                                   

-------------------------------------------------------------------------------                                                    

HRP_A<R5_U13_USG6650>display security-policy all                                                                                   

23:28:53  2015/10/30                                                                                                                

Total:17                                                                                                                           

RULE ID RULE NAME                      STATE      ACTION             HITTED                                                        

-------------------------------------------------------------------------------                                                    

0       default                        enable     deny               247                                                           

1       21.166.167                     disable    permit             0                                                             

2       Windows Update Disable         disable    deny               0                                                             

21      cse_policy1                    enable     deny               0                                                              

18      cse_policy                     enable     deny               0                                                             

13      italy_inbound                  enable     permit             1                                                              

14      italy_outbound                 enable     permit             0                                                             

15      untrust_local                  enable     permit             2                                                              

16      local_untrust                  enable     permit             0                                                             

3       no play game                   disable    deny               0                                                              

4       no p2p file                    disable    deny               0                                                             

5       no video and music             disable    deny               0                                                              

6       file update                    disable    permit             0                                                             

7       18.4.2015                      disable    permit             0                                                              

8       Windows Update not Disable     enable     -                  0                                                             

11      255                            enable     permit             0                                                             

17      ipsec_italy                    enable     permit             0                                                             

-------------------------------------------------------------------------------

 

 

user: cse2@italy

 

C:\Users\user\Desktop>ping 192.168.64.5                                             //ping is working. Security policy “cse_policy1” not matched         

                                                                                                                                    

Pinging 192.168.64.5 with 32 bytes of data:                                                                                         

Reply from 192.168.64.5: bytes=32 time=2ms TTL=254                                                                                 

Reply from 192.168.64.5: bytes=32 time=100ms TTL=254                                                                               

Reply from 192.168.64.5: bytes=32 time=2ms TTL=254                                                                                 

Reply from 192.168.64.5: bytes=32 time=22ms TTL=254                                                                                

                                                                                                                                    

Ping statistics for 192.168.64.5:                                                                                                  

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                                                                           

Approximate round trip times in milli-seconds:                                                                                     

    Minimum = 2ms, Maximum = 100ms, Average = 31ms                        

                                                      

   -------------------------------------------------------------------------------                                                    

HRP_A<R5_U13_USG6650>display security-policy all                                                                                   

23:27:07  2015/10/30                                                                                                               

Total:17                                                                                                                            

RULE ID RULE NAME                      STATE      ACTION             HITTED                                                        

-------------------------------------------------------------------------------                                                     

0       default                        enable     deny               238                                                           

1       21.166.167                     disable    permit             0                                                              

2       Windows Update Disable         disable    deny               0                                                             

21      cse_policy1                    enable     deny               0                                                              

18      cse_policy                     enable     deny               0                                                             

13      italy_inbound                  enable     permit             1                                                              

14      italy_outbound                 enable     permit             0                                                             

15      untrust_local                  enable     permit             8                                                              

16      local_untrust                  enable     permit             0                                                             

3       no play game                   disable    deny               0                                                             

4       no p2p file                    disable    deny               0                                                             

5       no video and music             disable    deny               0                                                             

6       file update                    disable    permit             0                                                              

7       18.4.2015                      disable    permit             0                                                             

8       Windows Update not Disable     enable     -                  0                                                              

11      255                            enable     permit             0                                                             

17      ipsec_italy                    enable     permit             0                                                              

-------------------------------------------------------------------------------                                             

                                                                                                                                    

C:\Users\user\Desktop>telnet 192.168.64.5                          //telnet is not working and security policy is matched.

 

 

-------------------------------------------------------------------------------                                                    

HRP_A<R5_U13_USG6650>display security-policy all                                                                                   

23:27:41  2015/10/30                                                                                                               

Total:17                                                                                                                            

RULE ID RULE NAME                      STATE      ACTION             HITTED                                                        

-------------------------------------------------------------------------------                                                    

0       default                        enable     deny               355                                                            

1       21.166.167                     disable    permit             0                                                             

2       Windows Update Disable         disable    deny               0                                                              

21      cse_policy1                    enable     deny               2                                                             

18      cse_policy                     enable     deny               0                                                              

13      italy_inbound                  enable     permit             1                                                             

14      italy_outbound                 enable     permit             0                                                              

15      untrust_local                  enable     permit             9                                                             

16      local_untrust                  enable     permit             0                                                              

3       no play game                   disable    deny               0                                                             

4       no p2p file                    disable    deny               0                                                              

5       no video and music             disable    deny               0                                                             

6       file update                    disable    permit             0                                                             

7       18.4.2015                      disable    permit             0                                                              

8       Windows Update not Disable     enable     -                  0                                                             

11      255                            enable     permit             0                                                              

17      ipsec_italy                    enable     permit             0                                                             

-------------------------------------------------------------------------------                 




END