Pix and VPN access restrictions

Pix and VPN access restrictions

Post by Jyri Korhone » Mon, 29 Oct 2001 06:09:22



I have a problem with Pix 515 (6.1.1) and VPN access restrictions.
If I establish a VPN tunnel with an other firewall (for example an
other Pix), how do I place restrictions on traffic? All examples
I have so far seen give full IP access through a VPN tunnel.

Let us assume that I have a Unix server and I want to give a ssh
access to our software provider. They have also a Pix 515 firewall,
but naturally I don't have any control over it. We decide that we
will make a VPN tunnel from their network to our Unix server and
only allow ssh traffic (tcp port 22). I can easily set up a VPN
tunnel for full IP access, but I don't have a clue how to restrict
traffic, because command

   sysopt connection permit-ipsec

means

   Implicitly permit any packet that came from an IPSec tunnel
   and bypass the checking of an associated access-list, conduit,
   or access-group command statement for IPSec connections.

So there seems to be no way to restrict traffic coming from the
tunnel. Well, then I must restrict outgoing traffic. But how on
earth I do that? If I try match a crypto map to a restricted
access-list the Pix will warn about degraded performance. And
because they are starting the ssh connections I don't have just
one port to allow. The following access-list doesn't make much
sense, because with that they can start almost any kind of
connections to our Unix.

   access-list [Name] permit tcp host [Unix] [Net] [Mask] gt 1023

What am I missing here?

 
 
 

Pix and VPN access restrictions

Post by Jonathan Hay » Mon, 29 Oct 2001 09:16:48



> I have a problem with Pix 515 (6.1.1) and VPN access restrictions.
> If I establish a VPN tunnel with an other firewall (for example an
> other Pix), how do I place restrictions on traffic? All examples
> I have so far seen give full IP access through a VPN tunnel.

> Let us assume that I have a Unix server and I want to give a ssh
> access to our software provider. They have also a Pix 515 firewall,
> but naturally I don't have any control over it. We decide that we
> will make a VPN tunnel from their network to our Unix server and
> only allow ssh traffic (tcp port 22). I can easily set up a VPN
> tunnel for full IP access, but I don't have a clue how to restrict
> traffic, because command

>    sysopt connection permit-ipsec

> means

>    Implicitly permit any packet that came from an IPSec tunnel
>    and bypass the checking of an associated access-list, conduit,
>    or access-group command statement for IPSec connections.

> So there seems to be no way to restrict traffic coming from the
> tunnel. Well, then I must restrict outgoing traffic. But how on
> earth I do that? If I try match a crypto map to a restricted
> access-list the Pix will warn about degraded performance. And
> because they are starting the ssh connections I don't have just
> one port to allow. The following access-list doesn't make much
> sense, because with that they can start almost any kind of
> connections to our Unix.

>    access-list [Name] permit tcp host [Unix] [Net] [Mask] gt 1023

> What am I missing here?

1. Use the restricted access list and ignore the PIX warning about
degraded performance until you actually measure it degraded performance.
That warning may not apply to a lightly loaded VPN.
2. If it's just your UNIX box you are worried about you could run TCP
wrapper and let /etc/hosts.allow and /etc/hosts.deny.
3. A more traditional solution would be putting the UNIX machine on a
DMZ.

 
 
 

1. PIX-to-PIX vpn + remote Access VPN not working

Hi!

I have to site A and B connected by Site to Site VPN and they are
working OK. When I try to add remote access VPN for  Site A so that
users at home could use Both site As ja Site Bs services and also
connect to net through site A, I can't get this to work. I have tried
doing this both with PDM and commandline. I have quite a lot experiece
with routers, but PIXes are still somewhat mystery to me. Does anyone
have any similar working configurations to share with me?

Any help would be greatly apreciated

Best regards

Marko Uusitalo

2. WANTED: ZEO/LEADING EDGE/DAK/SHARPER IMAGE POCKET PC

3. VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client

4. FS: 100LX and HP Connectivity Kit

5. PIX to PIX VPN and VPN Client to PIX Config Example?

6. HP200 questions not in faq or manual

7. PIX client access restrictions

8. Artex Website?

9. PIX 506E VPN bandwidth restrictions??

10. VPN Client connected to Pix A cannot access network connected to Pix B

11. PIX ipsec client vpn, how to create access-lists for multiple vpn groups

12. PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible?

13. VPN terminates on pix 501...but i cannot access windows 2000 vpn server