Hello,
Site A, 10.10.10.0/24 Site B, 192.168.10.0/24
SITA A and B, PIX 506, 6.3.5
Buildind a VPN from A to B, ok... but there is noting preventing B to get to services located on A.
Is it possible to have A initiating only to B and B never inititatiating anything to A? Whwere do you code things like that?
Thank you
Bidibule
If A does any UDP to B then the restriction you request has a risk of loss of functionality; if a "reply" from B might ever take longer than the UDP timeout, then the "reply" will be blocked. Such problems *will* occur with Microsoft Exchange for example.
If A does any icmp or GRE (e.g., PPTP) or any other IP protocol to B other than UDP or TCP, then the restriction you request *will* result in loss of functionality.
If A's connections to B are strictly TCP then the restriction can be safely implemented.
To implement: turn off "sysopt connection permit-ipsec". When permit-ipsec is not active, all incoming IPSec VPN traffic is decapsulated but then must pass through the outside interface's access controls, just as if it was traffic from the internet; similarily, when permit-ipsec is not active, all outgoing IPSec VPN traffic must pass through any inside interface access controls before being encapsulated.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.