Can anyone confirm if a VPN tunnel that terminates at a vShield Edge can have firewall rules applied?
We want to establish a tunnel from a third party but restrict the IPs and ports that the VPN traffic can access.
In addition to this, can firewall rules apply for traffic leaving our network and going back down the tunnel so that we restrict access to endpoints on their network?
Thanks for any help!
Yes, you can build VPN tunnels with VSE but there are two issues. First, the tunnel(s) will not be stable. Our experience has shown that tunnels that terminate on both Cisco ASA and Sonic Wall devices have proven unreliable. They do negotiate initially, but seem to randomly go down and re-negotiate. In both cases, we replaced VSE with hardware based firewalls and the problems went away immediately. There is no way that VSE should be considered "production ready". The other issue with VSE is the incredibly tedious UI. For example, there is no "by pass filters" option for VPN tunnels - you must explicitly detail traffic which is allowed through. With static NAT in place, you must also create two rules for every traffic flow - one "into" the external IP and one "out of" the internal IP. There is no way to copy rules, either, so maintaining the rule base is a nightmare. Lastly, in a multi-tenant environment, there is no way to backup the rule base for a single VSE.... It is an all or nothing proposition.
My advice: RUN, as fast as you can, away from VSE.
We have used vShield 5.0.1 to stand up Site-Site IPSec VPNs with Cisco PIX/ASA other Edges and Cisco IOS based devices with various IOS/Finesse releases in a live environment and lab with no issues we could'nt overcome.
You can firewall what goes down the VPN tunnel i.e. from inside Edge to remote site but as of vShield Edge 5.0.1 default for traffic out of an interface is permit so you have to use inbound on "inside" to determine what goes from inside the Edge to the remote Peer.
i.e. no need for the double firewall rule anymore. You can see this if you console into an Edge and view the IPTables chain "usr_vpn_out" with the CLI command "show iptables filter". You will see the default rule generated for default policy is now ACCEPT not DROP.
You can firewall traffic coming from the remote site to VMs behind your vShield Edge by applying inbound rules on the VPN interface.
I would highly recommend a book on OpenSwan which is what I believe Edge seems to use for IPSec VPN as this will give you additional knowledge to fault find VPN issues you may come accross and help with error codes and understand the Edge IPSec config.