Firewall Wizards mailing list archives
Re: VPN NAT issue
From: "Farrukh Haroon" <farrukhharoon () gmail com>
Date: Sat, 29 Nov 2008 08:39:09 +0300
The Cisco firewall by default permits all Crypto traffic 'terminating' on it without needing any access-lists. This is done via the sysopt command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155 You can disabled it if you want, however this means all post-decrypted traffic needs to be permitted. Please note that VPN tunnels that are not terminated on the firewall but they still traverse it....need to be allowed in the interface ACLs. Regards Farrukh Haroon CCIE # 20184 (Security) On Thu, Nov 27, 2008 at 10:41 AM, Lord Sporkton <lordsporkton () gmail com>wrote:
I have to this date, never needed an ACL to allow in VPN traffic on the outside interface. In the case of ipsec(ive not dealt with pptp to much) i dont even need an acl rule to allow the esp and udp 500 traffic in. I can post working configs if anyone would care to discuss with me why an acl is needed for vpn traffic. Please note that I said outside interface, I do believe if you are using an inside interface acl that is a different story. If you allow the vpn pool ips in from the outside how would the firewall differentiate between vpn pool ips and someone spoofing private ips on the wan? thank you Lawrence 2008/11/26 Kevin Horvath <kevin.horvath () gmail com>: > you will need a static nat or nat exemption. You are trying to access froma low security interface to a higher one so put a translation in for the 173.16 net to the vpn pool either by static or nat0. For the static it would be IN2 int to OUT and for nat0 apply it to IN2 where the rules stipulate the src from IN2 net to the vpn local pool. Also apply the acl entries allowing this traffic to the outside acl. Let me know if youhaveany issues. Kevin On Wed, Nov 12, 2008 at 4:52 AM, Vladislav Antolik <vladislav.antolik () gmail com> wrote:Hello, I'm using Cisco PIX 515E with 8.0(3) image. I have 3 networks. IN 172.16.0.0/16 IN2 173.16.0.0/16 OUT 174.16.0.0/16. VPN local pool is 10.0.0.0/28. I'm using remote access VPN to reach IN servers without problems(I used howto from Cisco pix conf. guide) I would like to reach IN2 servers too, but I don't know to setup NAT from vpn pool to this network(IN2). I this network (IN2) my VPN hosts(10.0.0.0/28) must be translated. I tried nat (OUT) 66 10.0.0.0 255.255.255.240 global (IN2) 66 173.16.0.5 but this doesn't work. Is any possibility to translate VPN pool? Many thanks Vladislav _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN NAT issue Farrukh Haroon (Dec 01)