Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX VPN and firewall rules - outbound

Reply
Thread Tools

PIX VPN and firewall rules - outbound

 
 
James
Guest
Posts: n/a
 
      01-09-2007
Hi all,

I have quite a few PIX site-to-site VPN's. I have always left the
implicit outbound rule on at the top of the firewall rules, just for
simplicity. There is also a checkbox I have ticked, 'bypass access check
for all ipsec traffic'. Well until today, I decided to lock down my
outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
that, I got a complaint saying the network was down. I was a little
confused by this as all IPSEC traffic was allowed through the PIX
without a check of the rules. I made this change for 'all non encrypted
traffic'.

On closer inspection, it appears to me that what 'bypass PIX for IPSEC
traffic' means is that, all traffic ENTERING the PIX with IPSEC is
allowed through, nothing says about it going out unchecked. So my
understanding is that these VPN's have always worked because of my
implicit outbound rule.

Can anyone clarify this for me?

Also, if my assumption is correct, is there a commmand to allow all
outgoing traffic that is IPSEC encrypted, to leave the firewall without
a check?

Until today, I thought I knew these boxes pretty good, but it appears I
am very wrong.

Kind regards.

James
 
Reply With Quote
 
 
 
 
James
Guest
Posts: n/a
 
      01-09-2007
It's OK, I think I was being silly. I just permitted the same groups for
my crypto-maps, outbound with an 'any'.

Cheers

James wrote:
> Hi all,
>
> I have quite a few PIX site-to-site VPN's. I have always left the
> implicit outbound rule on at the top of the firewall rules, just for
> simplicity. There is also a checkbox I have ticked, 'bypass access check
> for all ipsec traffic'. Well until today, I decided to lock down my
> outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
> that, I got a complaint saying the network was down. I was a little
> confused by this as all IPSEC traffic was allowed through the PIX
> without a check of the rules. I made this change for 'all non encrypted
> traffic'.
>
> On closer inspection, it appears to me that what 'bypass PIX for IPSEC
> traffic' means is that, all traffic ENTERING the PIX with IPSEC is
> allowed through, nothing says about it going out unchecked. So my
> understanding is that these VPN's have always worked because of my
> implicit outbound rule.
>
> Can anyone clarify this for me?
>
> Also, if my assumption is correct, is there a commmand to allow all
> outgoing traffic that is IPSEC encrypted, to leave the firewall without
> a check?
>
> Until today, I thought I knew these boxes pretty good, but it appears I
> am very wrong.
>
> Kind regards.
>
> James

 
Reply With Quote
 
 
 
 
Chad Mahoney
Guest
Posts: n/a
 
      01-09-2007
James wrote:
> Hi all,
>
> I have quite a few PIX site-to-site VPN's. I have always left the
> implicit outbound rule on at the top of the firewall rules, just for
> simplicity. There is also a checkbox I have ticked, 'bypass access check
> for all ipsec traffic'. Well until today, I decided to lock down my
> outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
> that, I got a complaint saying the network was down. I was a little
> confused by this as all IPSEC traffic was allowed through the PIX
> without a check of the rules. I made this change for 'all non encrypted
> traffic'.
>
> On closer inspection, it appears to me that what 'bypass PIX for IPSEC
> traffic' means is that, all traffic ENTERING the PIX with IPSEC is
> allowed through, nothing says about it going out unchecked. So my
> understanding is that these VPN's have always worked because of my
> implicit outbound rule.



> Can anyone clarify this for me?
>
> Also, if my assumption is correct, is there a commmand to allow all
> outgoing traffic that is IPSEC encrypted, to leave the firewall without
> a check?



sysopt ipsec

> Until today, I thought I knew these boxes pretty good, but it appears I
> am very wrong.
>
> Kind regards.
>
> James

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
rules for Cisco PIX 525 firewall rules KAS Cisco 2 10-02-2005 07:12 PM
Help with Pix 515E firewall and allowing Outbound VPNs Kilgore Troute Cisco 1 08-26-2004 08:41 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
PIX VPN Firewall-Rules Michael Kiessling Cisco 3 12-19-2003 08:37 AM



Advertisments