CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules - VPN Group Policy

Information

Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.

Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.

Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

Solution

Step 1: Configure the ACL to restrict VPN traffic.

ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.12 eq http
ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.13 eq smtp
ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp
ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp-data
ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.y host 192.168.1.15 eq domain
ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.16 eq sqlnet
ASA(config)# access-list RESTRICT_VPN extended deny ip any any log
ASA(config)# exit

Step 2: Apply the VPN filter to the applicable group policy as shown in the example below.

ASA(config)# group-policy VPN_POLICY attributes
ASA(config-group-policy)# vpn-filter value RESTRICT_VPN
ASA(config-group-policy)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y22M04_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(1), CAT|II, CCI|CCI-000067, Rule-ID|SV-239854r665848_rule, STIG-ID|CASA-FW-000030, Vuln-ID|V-239854

Plugin: Cisco

Control ID: e504aa78981c8dfaf6d492d298c4a956af3998bc2a589024b404dbc7eece35c9