PIX 506E, VPN and access restriction

Discussion in 'Cisco' started by Thomas, Dec 13, 2006.

  1. Thomas

    Thomas Guest


    i have a PIX 506E which handles different VPN-Connections to different
    partners. All VPN-connetctions are side to side networks, on the remote
    side therer are differnt VPN-devices.

    I have a problem with the access rules. On one remote side there is also
    a PIX506E. I allowed only icmp to one host from outside to inside but it
    is also possible to built tcp connections to this host (and i see them
    in syslog) although there is no access-rule allowing this.

    It is only in that case where on the remote side is a PIX 506E. All
    other configs work fine and only conntections i allowed are possible. I
    don't the config of this remote PIX.

    Has anybody an idea why this conntections are possible, allthough i
    dindn't allow them on my side.


    Thomas, Dec 13, 2006
    1. Advertisements

  2. How do you have that configured?

    If you have configured your crypto map to permit icmp only instead
    of IP, then you might find that icmp is being promoted into full IP
    as older PIX versions could not control the tunnel parameters in
    detail (support for detailed control is an optional part of the IPSec
    standards.) If you have sysopt connection permit-ipsec then more
    could get through than you might expect from the crypto map acl.

    To be certain that only what you want will be permitted through the
    tunnel, do not use permit-ipsec, and instead configure ACLs
    on your inside and outside interfaces. If you do that, then some
    unwanted traffic might get through the tunnel to you, but your
    outside ACL would drop the traffic before it got any further.
    Walter Roberson, Dec 13, 2006
    1. Advertisements

  3. Thomas

    Thomas Guest

    I did it with a normal outside_access_in statement
    In my cyptomap i allowed IP complete, because i want to have certain TCP
    and UDP connection later. I want to control these connections by an
    outside_access_in statement.

    access-list outside_cryptomap_80 permit ip object-group
    internal_networks remoteNET

    PIX-Version is 6.3.(5)

    this i have in my config
    i.e. i have to build an ACL to accept VPN-traffic on the outside interface?

    If you do that, then some
    that's no problem.

    but your
    that sound's good
    Thomas, Dec 13, 2006
  4. Right, build the appropriate lines into your existing ACL applied
    to the outside interface to control traffic that is received.
    The outside ACL will be applied to incoming VPN traffic after
    the traffic is decapsulated, but before NAT translation.
    If you have a standard configuration in which you have used
    "nat (inside) 0 access-list" then this would imply that your outside
    ACL should be written with the source being the private IPs of the
    remote systems and the destinations being the private IPs of the
    local systems.

    You can also control the traffic that is sent by using an ACL on
    your inside interface. The ACL will be applied to outgoing VPN
    traffic before NAT and before encapsulation.
    Walter Roberson, Dec 14, 2006
  5. Thomas

    Thomas Guest

    i put this line out of my config and now everything is right. I saw that
    all disallowed connections are denied on outside interface in syslog.

    Thank you for help and the usefull information about the order of the
    processing steps.
    Thomas, Dec 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.