1. Home
  2. Cisco Systems
  3. Restricting VPN Traffic

Restricting VPN Traffic

We have a vendor (web site hosting) who is requiring us to set up a VPN in order to access our web server. They will not support client based VPNs so we have to set up a tunnel to our PIX 515e. Because the clients that need access to the web server are on the inside network we must terminate the tunnel on our inside interface. Obviously having an unrestricted tunnel from a web server to your internal network is not secure. I also support client VPNs on the 515 into our internal network.

I under stand that I can chose to not use "sysopt connection permit-ipsec" but this will break my client VPNs. I understand that I can set up access list on my internal interface to restrict outbound traffic to the vendor however it will be outbound traffic only (not a secure solution) traffic could still get in.

Anyone have any ideas on how to provide our internal clients access across this vpn tunnel to our vendor securely while still allowing out side VPN clients access my internal network?

Thanks

--AJ

Reply to
AJ
Loading thread data ...

No, you terminate the tunnel on the interface that will receive and transmit the encrypted/ encapsulated data. The inside interface will receive the internal unencapsulated unencrypted packets, will apply routing and any nat, and then just before sending the packets out will notice that they are VPN packets and so will encapsulate them and encrypt them and send them on that way.

Only if you do not make the appropriate adjustments to the access-groups .

If you do not have permit-ipsec in effect, then incoming VPN packets are checked to see that they come from a known peer with a valid SPI (secure parameter index), then the packets will be decapsulated and unencrypted, and then the decapsulated packets will be checked against the access-group applied to the outside interface.

Reply to
Walter Roberson

In order to support my client VPNs what would my access-list look like? Clients can come in from anyplace across the internet.

Thanks

--AJ

Reply to
AJ

Are your clients using LAN-to-LAN IPSec, or are they Cisco VPN Client (or the equivilent) ? If they are the VPN Client then they are given a dynamic IP address from a pool that you specify (either explicitly through a vpngroup command, or implicitly by an "ip local pool" command). As far as the access-group access-lists are concerned, you should use the IP addresses in that pool as the remote IPs for the VPN traffic.

Reply to
Walter Roberson

Walter is correct here. In this situation, you could do one of two things... remove the 'sysopt connection permit-ipsec' and modify your ACL's to accomidate the VPN's, or another option is to simply terminate the VPN at the outside interface. This takes the sysopt connection permit-ipsec out of the scenario.

By terminating at the outside interface, you then would just do your permit or deny statements at the outside interface ACL as if it were normal public traffic. Standard NAT and ACL checks are performed as usual.

If you insist on terminating on the inside interface, then yes, I'd recommend turning the systop connection permit-ipsec off and update your ACL's. I prefer this anyhow, as if you have the sysopt connection permit-ipsec enabled, you are allowing the end host to be 100% wide open, with no ability at the firewall to limit its traffic. You couldn't even deny specific known Virus or trojan ports. By disabling the feature you get much more granular control which is what you want on a PIX.

Ryan

Reply to
rdymek

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.