PIX 506E, VPN and access restriction


i have a PIX 506E which handles different VPN-Connections to different partners. All VPN-connetctions are side to side networks, on the remote side therer are differnt VPN-devices.

I have a problem with the access rules. On one remote side there is also a PIX506E. I allowed only icmp to one host from outside to inside but it is also possible to built tcp connections to this host (and i see them in syslog) although there is no access-rule allowing this.

It is only in that case where on the remote side is a PIX 506E. All other configs work fine and only conntections i allowed are possible. I don't the config of this remote PIX.

Has anybody an idea why this conntections are possible, allthough i dindn't allow them on my side.



Reply to
Loading thread data ...

How do you have that configured?

If you have configured your crypto map to permit icmp only instead of IP, then you might find that icmp is being promoted into full IP as older PIX versions could not control the tunnel parameters in detail (support for detailed control is an optional part of the IPSec standards.) If you have sysopt connection permit-ipsec then more could get through than you might expect from the crypto map acl.

To be certain that only what you want will be permitted through the tunnel, do not use permit-ipsec, and instead configure ACLs on your inside and outside interfaces. If you do that, then some unwanted traffic might get through the tunnel to you, but your outside ACL would drop the traffic before it got any further.

Reply to
Walter Roberson

I did it with a normal outside_access_in statement

In my cyptomap i allowed IP complete, because i want to have certain TCP and UDP connection later. I want to control these connections by an outside_access_in statement.

access-list outside_cryptomap_80 permit ip object-group internal_networks remoteNET

PIX-Version is 6.3.(5)

this i have in my config

i.e. i have to build an ACL to accept VPN-traffic on the outside interface?

If you do that, then some

that's no problem.

but your

that sound's good

Reply to

Right, build the appropriate lines into your existing ACL applied to the outside interface to control traffic that is received. The outside ACL will be applied to incoming VPN traffic after the traffic is decapsulated, but before NAT translation. If you have a standard configuration in which you have used "nat (inside) 0 access-list" then this would imply that your outside ACL should be written with the source being the private IPs of the remote systems and the destinations being the private IPs of the local systems.

You can also control the traffic that is sent by using an ACL on your inside interface. The ACL will be applied to outgoing VPN traffic before NAT and before encapsulation.

Reply to
Walter Roberson

i put this line out of my config and now everything is right. I saw that all disallowed connections are denied on outside interface in syslog.

Thank you for help and the usefull information about the order of the processing steps.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.