PIX VPN and firewall rules - outbound

Discussion in 'Cisco' started by James, Jan 9, 2007.

  1. James

    James Guest

    Hi all,

    I have quite a few PIX site-to-site VPN's. I have always left the
    implicit outbound rule on at the top of the firewall rules, just for
    simplicity. There is also a checkbox I have ticked, 'bypass access check
    for all ipsec traffic'. Well until today, I decided to lock down my
    outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
    that, I got a complaint saying the network was down. I was a little
    confused by this as all IPSEC traffic was allowed through the PIX
    without a check of the rules. I made this change for 'all non encrypted
    traffic'.

    On closer inspection, it appears to me that what 'bypass PIX for IPSEC
    traffic' means is that, all traffic ENTERING the PIX with IPSEC is
    allowed through, nothing says about it going out unchecked. So my
    understanding is that these VPN's have always worked because of my
    implicit outbound rule.

    Can anyone clarify this for me?

    Also, if my assumption is correct, is there a commmand to allow all
    outgoing traffic that is IPSEC encrypted, to leave the firewall without
    a check?

    Until today, I thought I knew these boxes pretty good, but it appears I
    am very wrong.

    Kind regards.

    James
    James, Jan 9, 2007
    #1
    1. Advertising

  2. James

    James Guest

    It's OK, I think I was being silly. I just permitted the same groups for
    my crypto-maps, outbound with an 'any'.

    Cheers

    James wrote:
    > Hi all,
    >
    > I have quite a few PIX site-to-site VPN's. I have always left the
    > implicit outbound rule on at the top of the firewall rules, just for
    > simplicity. There is also a checkbox I have ticked, 'bypass access check
    > for all ipsec traffic'. Well until today, I decided to lock down my
    > outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
    > that, I got a complaint saying the network was down. I was a little
    > confused by this as all IPSEC traffic was allowed through the PIX
    > without a check of the rules. I made this change for 'all non encrypted
    > traffic'.
    >
    > On closer inspection, it appears to me that what 'bypass PIX for IPSEC
    > traffic' means is that, all traffic ENTERING the PIX with IPSEC is
    > allowed through, nothing says about it going out unchecked. So my
    > understanding is that these VPN's have always worked because of my
    > implicit outbound rule.
    >
    > Can anyone clarify this for me?
    >
    > Also, if my assumption is correct, is there a commmand to allow all
    > outgoing traffic that is IPSEC encrypted, to leave the firewall without
    > a check?
    >
    > Until today, I thought I knew these boxes pretty good, but it appears I
    > am very wrong.
    >
    > Kind regards.
    >
    > James
    James, Jan 9, 2007
    #2
    1. Advertising

  3. James

    Chad Mahoney Guest

    James wrote:
    > Hi all,
    >
    > I have quite a few PIX site-to-site VPN's. I have always left the
    > implicit outbound rule on at the top of the firewall rules, just for
    > simplicity. There is also a checkbox I have ticked, 'bypass access check
    > for all ipsec traffic'. Well until today, I decided to lock down my
    > outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
    > that, I got a complaint saying the network was down. I was a little
    > confused by this as all IPSEC traffic was allowed through the PIX
    > without a check of the rules. I made this change for 'all non encrypted
    > traffic'.
    >
    > On closer inspection, it appears to me that what 'bypass PIX for IPSEC
    > traffic' means is that, all traffic ENTERING the PIX with IPSEC is
    > allowed through, nothing says about it going out unchecked. So my
    > understanding is that these VPN's have always worked because of my
    > implicit outbound rule.



    > Can anyone clarify this for me?
    >
    > Also, if my assumption is correct, is there a commmand to allow all
    > outgoing traffic that is IPSEC encrypted, to leave the firewall without
    > a check?



    sysopt ipsec

    > Until today, I thought I knew these boxes pretty good, but it appears I
    > am very wrong.
    >
    > Kind regards.
    >
    > James
    Chad Mahoney, Jan 9, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Kiessling

    PIX VPN Firewall-Rules

    Michael Kiessling, Dec 18, 2003, in forum: Cisco
    Replies:
    3
    Views:
    654
    Michael Kiessling
    Dec 19, 2003
  2. Kilgore Troute
    Replies:
    1
    Views:
    2,275
    Martin Bilgrav
    Aug 26, 2004
  3. Diego B.

    Firewall rules to allow Cisco vpn

    Diego B., Dec 6, 2004, in forum: Cisco
    Replies:
    2
    Views:
    7,774
    mprasad079
    Dec 23, 2012
  4. Tim Mavers

    Pix firewall rules and IP address

    Tim Mavers, Jan 11, 2005, in forum: Cisco
    Replies:
    3
    Views:
    4,433
    Walter Roberson
    Jan 12, 2005
  5. KAS
    Replies:
    2
    Views:
    5,594
Loading...

Share This Page