Quick scenario on PIX (initiatior, responder only)

Discussion in 'Cisco' started by Bidibule, Feb 6, 2006.

  1. Bidibule

    Bidibule Guest

    Hello,

    Site A, 10.10.10.0/24
    Site B, 192.168.10.0/24

    SITA A and B, PIX 506, 6.3.5

    Buildind a VPN from A to B, ok... but there is noting preventing B to
    get to services located on A.

    Is it possible to have A initiating only to B and B never inititatiating
    anything to A? Whwere do you code things like that?

    Thank you

    Bidibule
    Bidibule, Feb 6, 2006
    #1
    1. Advertising

  2. In article <ds7rhu$a82$>, Bidibule <> wrote:
    >Site A, 10.10.10.0/24
    >Site B, 192.168.10.0/24


    >SITA A and B, PIX 506, 6.3.5


    >Buildind a VPN from A to B, ok... but there is noting preventing B to
    >get to services located on A.


    >Is it possible to have A initiating only to B and B never inititatiating
    >anything to A? Whwere do you code things like that?


    If A does any UDP to B then the restriction you request
    has a risk of loss of functionality; if a "reply" from B might ever
    take longer than the UDP timeout, then the "reply" will be blocked.
    Such problems *will* occur with Microsoft Exchange for example.

    If A does any icmp or GRE (e.g., PPTP) or any other IP protocol to B
    other than UDP or TCP, then the restriction you request *will* result in
    loss of functionality.

    If A's connections to B are strictly TCP then the restriction can be
    safely implemented.

    To implement: turn off "sysopt connection permit-ipsec". When
    permit-ipsec is not active, all incoming IPSec VPN traffic is
    decapsulated but then must pass through the outside interface's
    access controls, just as if it was traffic from the internet;
    similarily, when permit-ipsec is not active, all outgoing IPSec VPN
    traffic must pass through any inside interface access controls before
    being encapsulated.
    Walter Roberson, Feb 6, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Burt Gummer
    Replies:
    0
    Views:
    369
    Burt Gummer
    May 21, 2005
  2. Martin

    Auto-responder

    Martin, Jul 27, 2003, in forum: Computer Support
    Replies:
    16
    Views:
    3,121
    Jimchip
    Jul 30, 2003
  3. dan.sweetlove

    Free auto-responder e-mail software?

    dan.sweetlove, Nov 7, 2003, in forum: Computer Support
    Replies:
    10
    Views:
    820
    -= Hawk =-
    Nov 7, 2003
  4. McG.

    LLTD Responder (protocol) and XP Pro x64

    McG., Nov 2, 2007, in forum: Windows 64bit
    Replies:
    0
    Views:
    697
  5. McG.
    Replies:
    6
    Views:
    2,741
Loading...

Share This Page