PIX 506E, VPN and access restriction

Discussion in 'Cisco' started by Thomas, Dec 13, 2006.

  1. Thomas

    Thomas Guest

    Hello,

    i have a PIX 506E which handles different VPN-Connections to different
    partners. All VPN-connetctions are side to side networks, on the remote
    side therer are differnt VPN-devices.

    I have a problem with the access rules. On one remote side there is also
    a PIX506E. I allowed only icmp to one host from outside to inside but it
    is also possible to built tcp connections to this host (and i see them
    in syslog) although there is no access-rule allowing this.

    It is only in that case where on the remote side is a PIX 506E. All
    other configs work fine and only conntections i allowed are possible. I
    don't the config of this remote PIX.

    Has anybody an idea why this conntections are possible, allthough i
    dindn't allow them on my side.

    Thanks

    Thomas
    Thomas, Dec 13, 2006
    #1
    1. Advertising

  2. In article <4580448e$0$27620$-online.net>,
    Thomas <> wrote:

    >i have a PIX 506E which handles different VPN-Connections to different
    >partners. All VPN-connetctions are side to side networks, on the remote
    >side therer are differnt VPN-devices.


    >I have a problem with the access rules. On one remote side there is also
    >a PIX506E. I allowed only icmp to one host from outside to inside but it
    >is also possible to built tcp connections to this host (and i see them
    >in syslog) although there is no access-rule allowing this.


    How do you have that configured?

    If you have configured your crypto map to permit icmp only instead
    of IP, then you might find that icmp is being promoted into full IP
    as older PIX versions could not control the tunnel parameters in
    detail (support for detailed control is an optional part of the IPSec
    standards.) If you have sysopt connection permit-ipsec then more
    could get through than you might expect from the crypto map acl.

    To be certain that only what you want will be permitted through the
    tunnel, do not use permit-ipsec, and instead configure ACLs
    on your inside and outside interfaces. If you do that, then some
    unwanted traffic might get through the tunnel to you, but your
    outside ACL would drop the traffic before it got any further.
    Walter Roberson, Dec 13, 2006
    #2
    1. Advertising

  3. Thomas

    Thomas Guest

    Walter Roberson wrote:

    > How do you have that configured?


    I did it with a normal outside_access_in statement

    >
    > If you have configured your crypto map to permit icmp only instead
    > of IP, then you might find that icmp is being promoted into full IP
    > as older PIX versions could not control the tunnel parameters in
    > detail (support for detailed control is an optional part of the IPSec
    > standards.)


    In my cyptomap i allowed IP complete, because i want to have certain TCP
    and UDP connection later. I want to control these connections by an
    outside_access_in statement.


    access-list outside_cryptomap_80 permit ip object-group
    internal_networks remoteNET 255.255.255.0

    PIX-Version is 6.3.(5)




    > If you have sysopt connection permit-ipsec then more
    > could get through than you might expect from the crypto map acl.


    this i have in my config

    >
    > To be certain that only what you want will be permitted through the
    > tunnel, do not use permit-ipsec, and instead configure ACLs
    > on your inside and outside interfaces.


    i.e. i have to build an ACL to accept VPN-traffic on the outside interface?

    If you do that, then some
    > unwanted traffic might get through the tunnel to you,


    that's no problem.

    but your
    > outside ACL would drop the traffic before it got any further.

    that sound's good
    Thomas, Dec 13, 2006
    #3
  4. In article <458061b9$0$27620$-online.net>,
    Thomas <> wrote:
    >Walter Roberson wrote:


    >PIX-Version is 6.3.(5)


    >> If you have sysopt connection permit-ipsec then more
    >> could get through than you might expect from the crypto map acl.


    >this i have in my config


    >> To be certain that only what you want will be permitted through the
    >> tunnel, do not use permit-ipsec, and instead configure ACLs
    >> on your inside and outside interfaces.


    >i.e. i have to build an ACL to accept VPN-traffic on the outside interface?


    Right, build the appropriate lines into your existing ACL applied
    to the outside interface to control traffic that is received.
    The outside ACL will be applied to incoming VPN traffic after
    the traffic is decapsulated, but before NAT translation.
    If you have a standard configuration in which you have used
    "nat (inside) 0 access-list" then this would imply that your outside
    ACL should be written with the source being the private IPs of the
    remote systems and the destinations being the private IPs of the
    local systems.

    You can also control the traffic that is sent by using an ACL on
    your inside interface. The ACL will be applied to outgoing VPN
    traffic before NAT and before encapsulation.
    Walter Roberson, Dec 14, 2006
    #4
  5. Thomas

    Thomas Guest

    Walter Roberson wrote:

    >>> If you have sysopt connection permit-ipsec then more
    >>> could get through than you might expect from the crypto map acl.

    >
    >> this i have in my config


    i put this line out of my config and now everything is right. I saw that
    all disallowed connections are denied on outside interface in syslog.


    Thank you for help and the usefull information about the order of the
    processing steps.
    Thomas, Dec 14, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sPiDEr
    Replies:
    0
    Views:
    3,036
    sPiDEr
    Jun 23, 2003
  2. Kai
    Replies:
    0
    Views:
    7,592
  3. Robert Hass

    PIX 506E and Internet Access via VPN

    Robert Hass, Jun 3, 2006, in forum: Cisco
    Replies:
    1
    Views:
    1,568
    Walter Roberson
    Jun 4, 2006
  4. Rohan
    Replies:
    1
    Views:
    1,334
    tweety
    Nov 29, 2006
  5. Laurent
    Replies:
    2
    Views:
    540
    Laurent
    Mar 1, 2008
Loading...

Share This Page