PIX client access restrictions

PIX client access restrictions

Post by Brad » Thu, 27 Feb 2003 01:55:17



Is there any way to get the decrypted client traffic to pass through the
access-lists on a pix firewall, everything I found bypasses the
access-lists.

Use the sysopt connection permit-ipsec command in IPSec configurations to
permit IPSec traffic to pass through the PIX Firewall without a check of
conduit or access-list command statements

The sysopt ipsec pl-compatible command allows IPSec packets to bypass the
NAT and ASA features and enables incoming IPSec packets to terminate on the
sending interface.
The sysopt ipsec pl-compatible command is not available on a PIX 501.

 
 
 

PIX client access restrictions

Post by Brian Bergi » Thu, 27 Feb 2003 02:31:56


|
|The sysopt ipsec pl-compatible command is not available on a PIX 501.
|

Anyone have a list of what's NOT available on a 501?  Cisco has not been
forthcoming with that info.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

 
 
 

PIX client access restrictions

Post by Walter Robers » Thu, 27 Feb 2003 03:25:07



:Is there any way to get the decrypted client traffic to pass through the
:access-lists on a pix firewall, everything I found bypasses the
:access-lists.

Sure, just do NOT use the sysopt's.

:Use the sysopt connection permit-ipsec command in IPSec configurations to
:permit IPSec traffic to pass through the PIX Firewall without a check of
:conduit or access-list command statements

And without it, ACL's are checked after the packet is decrypted.

:The sysopt ipsec pl-compatible command allows IPSec packets to bypass the
:NAT and ASA features and enables incoming IPSec packets to terminate on the
:sending interface.
:The sysopt ipsec pl-compatible command is not available on a PIX 501.

This feature is present on some PIX to support the pre-IPSec method
of doing VPNs. This feature is otherwise obsolete.
--
   IEA408I: GETMAIN cannot provide buffer for WATLIB.

 
 
 

1. Pix and VPN access restrictions

I have a problem with Pix 515 (6.1.1) and VPN access restrictions.
If I establish a VPN tunnel with an other firewall (for example an
other Pix), how do I place restrictions on traffic? All examples
I have so far seen give full IP access through a VPN tunnel.

Let us assume that I have a Unix server and I want to give a ssh
access to our software provider. They have also a Pix 515 firewall,
but naturally I don't have any control over it. We decide that we
will make a VPN tunnel from their network to our Unix server and
only allow ssh traffic (tcp port 22). I can easily set up a VPN
tunnel for full IP access, but I don't have a clue how to restrict
traffic, because command

   sysopt connection permit-ipsec

means

   Implicitly permit any packet that came from an IPSec tunnel
   and bypass the checking of an associated access-list, conduit,
   or access-group command statement for IPSec connections.

So there seems to be no way to restrict traffic coming from the
tunnel. Well, then I must restrict outgoing traffic. But how on
earth I do that? If I try match a crypto map to a restricted
access-list the Pix will warn about degraded performance. And
because they are starting the ssh connections I don't have just
one port to allow. The following access-list doesn't make much
sense, because with that they can start almost any kind of
connections to our Unix.

   access-list [Name] permit tcp host [Unix] [Net] [Mask] gt 1023

What am I missing here?

2. British Summer Time

3. VPN Client connected to Pix A cannot access network connected to Pix B

4. Availabilty of select() function with ISP2.1

5. PIX to VPN Client, cannot Access Client

6. DIF Format in Lotus 5 windows ?

7. PIX: Accessing files on NT client with Cisco Secure VPN Client?

8. Display message to web user from Database Script initialize

9. Win2000 Server can access client but client cannot access server files.

10. VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client

11. PIX to PIX and PIX to VPN Client

12. PIX to PIX VPN and VPN Client to PIX Config Example?

13. Pix-to-Pix and Client-to-Pix VPN