Firewall Wizards mailing list archives
Re: Decrypted VPN traffic and access lists on outside interface of PIX
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Wed, 25 Aug 2004 16:49:13 +0200
John Galt wrote:
Is decrypted traffic from a site-to-site VPN sent back through an access list that is applied to the outside interface of a PIX?
I'm sorry, I do not know anything about pix! It would be a bad idea from cisco, as it would mean your vpn traffic and your (untrusted) internet one would share a single ACL!
permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet deny ip host 192.168.2.20 host 192.168.1.10
You forgot the most important key in your deny command: log (I assume pix ACL are very similar to cisco IOS ones). Reading logs is sometimes more interesting then trying to guess what's happening ! Note that log may also be added after permit lines (especially usefull for debuging, and lighter than enabling cisco's debug output). Adding such 'log' entries would log, i.e. telnet; tftp, snmp, vpn access to/through your router.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Decrypted VPN traffic and access lists on outside interface of PIX John Galt (Aug 25)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX Patrick M. Hausen (Aug 26)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX stephane nasdrovisky (Aug 26)
- <Possible follow-ups>
- RE: Decrypted VPN traffic and access lists on outside interface of PIX Melson, Paul (Aug 26)