Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN and blocking ports

Reply
Thread Tools

VPN and blocking ports

 
 
Shawn H. Mesiatowsky
Guest
Posts: n/a
 
      11-22-2004
I have just setup our network composed of the following, our main office has
a Pix 515 that is used for NAT and VPN for remote users and VPN for our
sattelite office which has a Pix 505. Our main office has our mail servers
and web servers that must communicate with the internet and our sattelite
office has servers that only communicate with our main office. I need to
block all unnessary ports between the two offices (that use VPN) and I need
to bloack all ports for remote users (except port 3389) that connect using
VPN. Upon reading some information on the net and reading some posts here I
thought of a way. I am currently using the sysopt connection permit-ipsec
command but it seems like I should not, and I should put Access lists on the
inside and outside interfaces. I currently do not have any access lists on
the interfaces. Will NAT also send out any broadcast messages destined
outside our subent? If I put an access list on the inside interface will it
stop this? if I put an accesslist on the outside interface do I need to
specify the ports for the Cisco VPN software and if so, which ports are
they? Thanks for your help

Sincerely,
Shawn H. Mesiatowsky


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-22-2004
In article <(E-Mail Removed)>,
Shawn H. Mesiatowsky <(E-Mail Removed)> wrote:
:I have just setup our network composed of the following, our main office has
:a Pix 515 that is used for NAT and VPN for remote users and VPN for our
:sattelite office which has a Pix 505. Our main office has our mail servers
:and web servers that must communicate with the internet and our sattelite
ffice has servers that only communicate with our main office. I need to
:block all unnessary ports between the two offices (that use VPN) and I need
:to bloack all ports for remote users (except port 3389) that connect using
:VPN. Upon reading some information on the net and reading some posts here I
:thought of a way. I am currently using the sysopt connection permit-ipsec
:command but it seems like I should not, and I should put Access lists on the
:inside and outside interfaces. I currently do not have any access lists on
:the interfaces.

removing permit-ipsec and putting in explicit access-group's is a good
idea in any situation in which users clearly understand that
security will sometimes interfere with convenience. It can, though,
lead to awful fights in situations where users feel that they have
the "right" to access whatever content they want whenever they
want, and that they shouldn't have to ask even once.

Universities are apparently quite bad that way: professors don't
hesitate to drag in department heads and deans, and threaten to take
their grant funded work elsewhere and to discourage people from
agreeing to take positions... It's a rare university in which the
university Senate or Board of Regents is prepared to step up and say
"Your desire to avoid security is risking the computing infrastructure
of the entire university. The security *will* be implimented, and if
you aren't prepared to live with that, then you can resign and we'll
appoint your rival to your position."

:Will NAT also send out any broadcast messages destined
utside our subent?

No. The PIX will not forward broadcasts. (Multicasts is a different
matter.)


:If I put an access list on the inside interface will it
:stop this? if I put an accesslist on the outside interface do I need to
:specify the ports for the Cisco VPN software and if so, which ports are
:they? Thanks for your help

An access-group applied to the inside interface will only affect
new flows going to outside, and the access-list will be ignored
for VPN traffic if you have the permit-ipsec option turned on.
If your outside ACL permits new connections from the other
side or if you have permit-ipsec turned on, then the adaptive
security algorithm will dynamically modify the access lists
to permit return traffic from the inside.

You could, in theory, work just with deny ACLs on the inside
interfaces of the 515 and 506 (and with permit-ipsec turned off),
but if you do so then there is always a risk that one of the
ACLs will get accidently removed, or will be out-of-synchronization
with the ACL on the other side, and then you will end up with
traffic travelling over the link that you don't really want the
other side to accept. It is safer to eny unwanted VPN traffic
on both your inside ACL and your outside ACL.
--
Warning: potentially contains traces of nuts.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Type of actual ports is not compatible with type of ports of entity. mreister VHDL 1 05-25-2010 11:30 AM
Non-blocking and semi-blocking Sockets class. nukleus Java 14 01-22-2007 08:22 PM
Recommendations Please for a PCI card w/ two USB 2 Ports and FireWaire Ports Mike Digital Photography 27 02-26-2006 12:54 AM
Ports for Clientless VPN on Cisco VPN 3000 Series Doug Fox Computer Security 2 09-09-2005 01:05 AM
Blocking and non blocking assignment in VHDL Hendra Gunawan VHDL 1 04-08-2004 06:03 AM



Advertisments