VPN and blocking ports

Discussion in 'Cisco' started by Shawn H. Mesiatowsky, Nov 22, 2004.

  1. I have just setup our network composed of the following, our main office has
    a Pix 515 that is used for NAT and VPN for remote users and VPN for our
    sattelite office which has a Pix 505. Our main office has our mail servers
    and web servers that must communicate with the internet and our sattelite
    office has servers that only communicate with our main office. I need to
    block all unnessary ports between the two offices (that use VPN) and I need
    to bloack all ports for remote users (except port 3389) that connect using
    VPN. Upon reading some information on the net and reading some posts here I
    thought of a way. I am currently using the sysopt connection permit-ipsec
    command but it seems like I should not, and I should put Access lists on the
    inside and outside interfaces. I currently do not have any access lists on
    the interfaces. Will NAT also send out any broadcast messages destined
    outside our subent? If I put an access list on the inside interface will it
    stop this? if I put an accesslist on the outside interface do I need to
    specify the ports for the Cisco VPN software and if so, which ports are
    they? Thanks for your help

    Sincerely,
    Shawn H. Mesiatowsky
    Shawn H. Mesiatowsky, Nov 22, 2004
    #1
    1. Advertising

  2. In article <>,
    Shawn H. Mesiatowsky <> wrote:
    :I have just setup our network composed of the following, our main office has
    :a Pix 515 that is used for NAT and VPN for remote users and VPN for our
    :sattelite office which has a Pix 505. Our main office has our mail servers
    :and web servers that must communicate with the internet and our sattelite
    :eek:ffice has servers that only communicate with our main office. I need to
    :block all unnessary ports between the two offices (that use VPN) and I need
    :to bloack all ports for remote users (except port 3389) that connect using
    :VPN. Upon reading some information on the net and reading some posts here I
    :thought of a way. I am currently using the sysopt connection permit-ipsec
    :command but it seems like I should not, and I should put Access lists on the
    :inside and outside interfaces. I currently do not have any access lists on
    :the interfaces.

    removing permit-ipsec and putting in explicit access-group's is a good
    idea in any situation in which users clearly understand that
    security will sometimes interfere with convenience. It can, though,
    lead to awful fights in situations where users feel that they have
    the "right" to access whatever content they want whenever they
    want, and that they shouldn't have to ask even once.

    Universities are apparently quite bad that way: professors don't
    hesitate to drag in department heads and deans, and threaten to take
    their grant funded work elsewhere and to discourage people from
    agreeing to take positions... It's a rare university in which the
    university Senate or Board of Regents is prepared to step up and say
    "Your desire to avoid security is risking the computing infrastructure
    of the entire university. The security *will* be implimented, and if
    you aren't prepared to live with that, then you can resign and we'll
    appoint your rival to your position."

    :Will NAT also send out any broadcast messages destined
    :eek:utside our subent?

    No. The PIX will not forward broadcasts. (Multicasts is a different
    matter.)


    :If I put an access list on the inside interface will it
    :stop this? if I put an accesslist on the outside interface do I need to
    :specify the ports for the Cisco VPN software and if so, which ports are
    :they? Thanks for your help

    An access-group applied to the inside interface will only affect
    new flows going to outside, and the access-list will be ignored
    for VPN traffic if you have the permit-ipsec option turned on.
    If your outside ACL permits new connections from the other
    side or if you have permit-ipsec turned on, then the adaptive
    security algorithm will dynamically modify the access lists
    to permit return traffic from the inside.

    You could, in theory, work just with deny ACLs on the inside
    interfaces of the 515 and 506 (and with permit-ipsec turned off),
    but if you do so then there is always a risk that one of the
    ACLs will get accidently removed, or will be out-of-synchronization
    with the ACL on the other side, and then you will end up with
    traffic travelling over the link that you don't really want the
    other side to accept. It is safer to eny unwanted VPN traffic
    on both your inside ACL and your outside ACL.
    --
    Warning: potentially contains traces of nuts.
    Walter Roberson, Nov 22, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Lunis

    What is blocking my ports?

    J Lunis, May 23, 2006, in forum: Wireless Networking
    Replies:
    4
    Views:
    14,444
    J Lunis
    May 25, 2006
  2. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,076
  3. Mike
    Replies:
    27
    Views:
    1,373
  4. networking

    switch ports are blocking

    networking, Feb 2, 2007, in forum: Cisco
    Replies:
    3
    Views:
    905
    Thrill5
    Feb 6, 2007
  5. Ramon F Herrera
    Replies:
    7
    Views:
    621
    DA Morgan
    Mar 3, 2007
Loading...

Share This Page