PIX VPN and firewall rules - outbound

Hi all,

I have quite a few PIX site-to-site VPN's. I have always left the implicit outbound rule on at the top of the firewall rules, just for simplicity. There is also a checkbox I have ticked, 'bypass access check for all ipsec traffic'. Well until today, I decided to lock down my outgoing firewall rule to just allow DNS and HTTP, but as soon as I done that, I got a complaint saying the network was down. I was a little confused by this as all IPSEC traffic was allowed through the PIX without a check of the rules. I made this change for 'all non encrypted traffic'.

On closer inspection, it appears to me that what 'bypass PIX for IPSEC traffic' means is that, all traffic ENTERING the PIX with IPSEC is allowed through, nothing says about it going out unchecked. So my understanding is that these VPN's have always worked because of my implicit outbound rule.

Can anyone clarify this for me?

Also, if my assumption is correct, is there a commmand to allow all outgoing traffic that is IPSEC encrypted, to leave the firewall without a check?

Until today, I thought I knew these boxes pretty good, but it appears I am very wrong.

Kind regards.

James

Reply to
James
Loading thread data ...

It's OK, I think I was being silly. I just permitted the same groups for my crypto-maps, outbound with an 'any'.

Cheers

James wrote:

Reply to
James

sysopt ipsec

Reply to
Chad Mahoney

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.