PIX VPN and firewall rules - outbound

Discussion in 'Cisco' started by James, Jan 9, 2007.

  1. James

    James Guest

    Hi all,

    I have quite a few PIX site-to-site VPN's. I have always left the
    implicit outbound rule on at the top of the firewall rules, just for
    simplicity. There is also a checkbox I have ticked, 'bypass access check
    for all ipsec traffic'. Well until today, I decided to lock down my
    outgoing firewall rule to just allow DNS and HTTP, but as soon as I done
    that, I got a complaint saying the network was down. I was a little
    confused by this as all IPSEC traffic was allowed through the PIX
    without a check of the rules. I made this change for 'all non encrypted
    traffic'.

    On closer inspection, it appears to me that what 'bypass PIX for IPSEC
    traffic' means is that, all traffic ENTERING the PIX with IPSEC is
    allowed through, nothing says about it going out unchecked. So my
    understanding is that these VPN's have always worked because of my
    implicit outbound rule.

    Can anyone clarify this for me?

    Also, if my assumption is correct, is there a commmand to allow all
    outgoing traffic that is IPSEC encrypted, to leave the firewall without
    a check?

    Until today, I thought I knew these boxes pretty good, but it appears I
    am very wrong.

    Kind regards.

    James
     
    James, Jan 9, 2007
    #1
    1. Advertisements

  2. James

    James Guest

    It's OK, I think I was being silly. I just permitted the same groups for
    my crypto-maps, outbound with an 'any'.

    Cheers
     
    James, Jan 9, 2007
    #2
    1. Advertisements

  3. James

    Chad Mahoney Guest


    sysopt ipsec
     
    Chad Mahoney, Jan 9, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.