RE: Pass-through VPN

["Catalina Scott Contr AFCA/EVEO" <scott.catalina () scott af mil>]

My understanding is the inbound ACLs would be similar to the crypto
ACLs.

First, the PIX decrypts the incoming VPN traffic. Then, it looks for
ACLS or conduits to allow the traffic to pass, unless sysopt connection
permit-ipsec is configured.

In which case, the decrypted traffic would be allowed through the PIX
without any additional configuration requirements.
  
Without sysopt connection permit-ipsec configured , you are duplicating
effort by having to configure both crypto and inbound ACLs which in most
cases would be identical to each other.

I can't think of a technical reason not to use it but if for some reason
you need to filter VPN traffic after its been decrypted, you could do it
by omitting sysopt connection permit-ipsec and applying an inbound ACL.

-Scott

-----Original Message-----
From: Hughes, Chris [mailto:Chris.Hughes () thalescomminc com] 
Sent: Monday, October 25, 2004 8:29 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Pass-through VPN


What would those ACLs look like?  Allow udp ports 500 and 4500?  
-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Catalina
Scott Contr AFCA/EVEO
Sent: Friday, October 22, 2004 12:49 PM
To: Fetch, Brandon; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Pass-through VPN

Inbound traffic normally requires an access-list or conduit statement to
allow it to pass.

But by using the sysopt connection permit-ipsec command, the inbound
ipsec traffic bypasses all access-lists and counduits.

Since you can't block inbound traffic on the internal interface as you
can with a cisco router, the traffic cannot be filtered at this point.

To lock this traffic down, use ACLs without using the sysopt command.

-Scott

-----Original Message-----
From: Fetch, Brandon [mailto:BFetch () texpac com] 
Sent: Monday, October 18, 2004 1:16 PM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Pass-through VPN


To make sure I'm understand this correctly...

PIX terminates a VPN on it's outside interface, or any interface with an
Internet addressable address With the sysopt command, traffic that
passes through that VPN tunnel from the remote site is not able to be
ACL'ed appropriately?

But would it not be ACL'able through it's source/destination components?
Source being the remote site's LAN address, destination being someplace
else behind the PIX.

Just a bit confused on what this command truly limits/enables.


Thanks,
Brandon

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


This email and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. This communication represents the originator's personal views
and opinions, which do not necessarily reflect those of Thales
Communications, Inc. If you are not the original recipient or the person
responsible for delivering the email to the intended recipient, be
advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately notify Administrator () Thalescomminc com.


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards