Firewall Wizards mailing list archives

Re: Decrypted VPN traffic and access lists on outside interface of PIX

From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Wed, 25 Aug 2004 16:49:13 +0200

John Galt wrote:

Is decrypted traffic from a site-to-site VPN sent back through anaccess list that is applied to the outside interface of a PIX?

I'm sorry, I do not know anything about pix! It would be a bad idea fromcisco, as it would mean your vpn traffic and your (untrusted) internetone would share a single ACL!

permit tcp host 192.168.2.20  host 192.168.1.10  eq telnet
deny ip host 192.168.2.20 host 192.168.1.10

You forgot the most important key in your deny command: log (I assumepix ACL are very similar to cisco IOS ones). Reading logs is sometimesmore interesting then trying to guess what's happening !Note that log may also be added after permit lines (especially usefullfor debuging, and lighter than enabling cisco's debug output).Adding such 'log' entries would log, i.e. telnet; tftp, snmp, vpn accessto/through your router.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Decrypted VPN traffic and access lists on outside interface of PIX John Galt (Aug 25)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX Patrick M. Hausen (Aug 26)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX stephane nasdrovisky (Aug 26)
- <Possible follow-ups>
- RE: Decrypted VPN traffic and access lists on outside interface of PIX Melson, Paul (Aug 26)