How-to restrict traffic exiting VPN tunnel to certain hosts / ports ??|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by ponga on June 30, 2009, 4:48 pm
Please log in for more thread options
appreciated. We have an IPSEC tunnel terminating on our PIX whereby a third party gains access to a certain resource on our LAN. Which is well and good and traffic flows fine. However, (I have not verified this empirically) it seems that anything coming across the VPN tunnel destined to our network is able to access every resource for which a route exits... this I absolutely do not want. I wish this were simple as I want to apply an ACL to restrict the traffic entering our network via the tunnel to just one host/port. From trial and error and by what I have been reading... this seems impossible. I find that hard to believe given how capable the PIX is... Is this in fact possible to do with an ACL and if so, how? TIA, --ponga | ||||||||||
|
Posted by bod43 on July 1, 2009, 3:21 am
Please log in for more thread options I would imagine that you can create inbound and or outbound access-lists and apply them to the inside interface of the device. Check access-list command to cerate access list and access-group to apply it to the interface. access-list acl_out permit tcp any host 209.165.201.1 eq ftp access-list acl_out deny any any access-group acl_out out interface interface_name | ||||||||||
|
Posted by Chino on July 1, 2009, 4:04 am
Please log in for more thread options >> route exits... this I absolutely do not want. I wish this were simple
>> as I want to apply an ACL to restrict the traffic entering our network >> via the tunnel to just one host/port. From trial and error and by what >> I have been reading... this seems impossible. I find that hard to >> believe given how capable the PIX is... >> Is this in fact possible to do with an ACL and if so, how? > I would imagine that you can create inbound and or outbound
> access-lists and apply them to the inside interface of the > device. This could be done, but you will need to create an access-list for each of the inside and DMZ interfaces you want to limit traffic to. The solution I prefer is to remove the "sysopt permit ipsec" command, so you are forcing PIX to match inbound IPSec packets against the outside interface access-list. Then you can simply add rules to the outside ACL to restrict traffic. | ||||||||||
|
Posted by ponga on July 1, 2009, 11:20 am
Please log in for more thread options > >> route exits... this I absolutely do not want. I wish this were simple
> >> as I want to apply an ACL to restrict the traffic entering our network > >> via the tunnel to just one host/port. From trial and error and by what > >> I have been reading... this seems impossible. I find that hard to > >> believe given how capable the PIX is... > >> Is this in fact possible to do with an ACL and if so, how? > > I would imagine that you can create inbound and or outbound
> > access-lists and apply them to the inside interface of the > > device. >
f
> This could be done, but you will need to create an access-list for each o= > the inside and DMZ interfaces you want to limit traffic to.
you
> The solution I prefer is to remove the "sysopt permit ipsec" command, so = > are forcing PIX to match inbound IPSec packets against the outside interf=
ace
> access-list. Then you can simply add rules to the outside ACL to restrict
> traffic. See, I was thinking about applying an ACL the egress traffic on the inside interface, this approach mentioned by both yourself and Chino. But the this whole `sysopt permit ipsec` thing has me wondering. See, I don't have that line present in my config. I would rather apply the ACL to the outside interface so I will look at doing that. The part I am getting confused is I have some ACL's that have that are "matched" to a certain tunnel... such as: ! crypto map Reservations 11 ipsec-isakmp description Tunnel toNoWhere set peer 1.2.3.4 set transform-set ESP-3DES-SHA1 match address 106 ! I'm not sure what role this "match address" business plays, is that like "access-group"'ing an ACL to an interface? Thanks for the tips though, makes sense!!! -Ponga | ||||||||||
|
Posted by Uli Link on July 1, 2009, 12:24 pm
Please log in for more thread options ponga schrieb:
> crypto map Reservations 11 ipsec-isakmp
> description Tunnel toNoWhere > set peer 1.2.3.4 > set transform-set ESP-3DES-SHA1 > match address 106 > ! > I'm not sure what role this "match address" business plays, is that > like "access-group"'ing an ACL to an interface? > access-list 106 describes the traffic to be encrypted through the crypto map. If you want to restrict traffic after or before encrytion via crypto map refer to <http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080>
Perhaps better want a logical tunnel interface using ipsec profiles and tunnel protection. The config is more straightforward and also support routing protocols. -- ULi | ||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> appreciated.
>
> We have an IPSEC tunnel terminating on our PIX whereby a third party
> gains access to a certain resource on our LAN. Which is well and good
> and traffic flows fine. However, (I have not verified this
> empirically) it seems that anything coming across the VPN tunnel
> destined to our network is able to access every resource for which a
> route exits... this I absolutely do not want. I wish this were simple
> as I want to apply an ACL to restrict the traffic entering our network
> via the tunnel to just one host/port. From trial and error and by what
> I have been reading... this seems impossible. I find that hard to
> believe given how capable the PIX is...
>
> Is this in fact possible to do with an ACL and if so, how?