Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Quick scenario on PIX (initiatior, responder only)

Reply
Thread Tools

Quick scenario on PIX (initiatior, responder only)

 
 
Bidibule
Guest
Posts: n/a
 
      02-06-2006
Hello,

Site A, 10.10.10.0/24
Site B, 192.168.10.0/24

SITA A and B, PIX 506, 6.3.5

Buildind a VPN from A to B, ok... but there is noting preventing B to
get to services located on A.

Is it possible to have A initiating only to B and B never inititatiating
anything to A? Whwere do you code things like that?

Thank you

Bidibule
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-06-2006
In article <ds7rhu$a82$(E-Mail Removed)>, Bidibule <(E-Mail Removed)> wrote:
>Site A, 10.10.10.0/24
>Site B, 192.168.10.0/24


>SITA A and B, PIX 506, 6.3.5


>Buildind a VPN from A to B, ok... but there is noting preventing B to
>get to services located on A.


>Is it possible to have A initiating only to B and B never inititatiating
>anything to A? Whwere do you code things like that?


If A does any UDP to B then the restriction you request
has a risk of loss of functionality; if a "reply" from B might ever
take longer than the UDP timeout, then the "reply" will be blocked.
Such problems *will* occur with Microsoft Exchange for example.

If A does any icmp or GRE (e.g., PPTP) or any other IP protocol to B
other than UDP or TCP, then the restriction you request *will* result in
loss of functionality.

If A's connections to B are strictly TCP then the restriction can be
safely implemented.

To implement: turn off "sysopt connection permit-ipsec". When
permit-ipsec is not active, all incoming IPSec VPN traffic is
decapsulated but then must pass through the outside interface's
access controls, just as if it was traffic from the internet;
similarily, when permit-ipsec is not active, all outgoing IPSec VPN
traffic must pass through any inside interface access controls before
being encapsulated.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LLTD Responder (protocol) and XP Pro x64 McG. Windows 64bit 0 11-02-2007 04:11 PM
How to define multiple responder SAs on a Cisco 3005? Burt Gummer Cisco 0 05-21-2005 07:28 PM
xmlHTTP and defining an ASP.Net responder =?Utf-8?B?RGF2ZQ==?= ASP .Net 0 09-15-2004 07:01 PM
Free auto-responder e-mail software? dan.sweetlove Computer Support 10 11-07-2003 03:54 PM
Auto-responder Martin Computer Support 16 07-30-2003 02:55 AM



Advertisments