Firewall Wizards mailing list archives
RE: Pass-through VPN
From: "Hughes, Chris" <Chris.Hughes () thalescomminc com>
Date: Mon, 25 Oct 2004 09:29:11 -0400
What would those ACLs look like? Allow udp ports 500 and 4500? -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Catalina Scott Contr AFCA/EVEO Sent: Friday, October 22, 2004 12:49 PM To: Fetch, Brandon; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Pass-through VPN Inbound traffic normally requires an access-list or conduit statement to allow it to pass. But by using the sysopt connection permit-ipsec command, the inbound ipsec traffic bypasses all access-lists and counduits. Since you can't block inbound traffic on the internal interface as you can with a cisco router, the traffic cannot be filtered at this point. To lock this traffic down, use ACLs without using the sysopt command. -Scott -----Original Message----- From: Fetch, Brandon [mailto:BFetch () texpac com] Sent: Monday, October 18, 2004 1:16 PM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Pass-through VPN To make sure I'm understand this correctly... PIX terminates a VPN on it's outside interface, or any interface with an Internet addressable address With the sysopt command, traffic that passes through that VPN tunnel from the remote site is not able to be ACL'ed appropriately? But would it not be ACL'able through it's source/destination components? Source being the remote site's LAN address, destination being someplace else behind the PIX. Just a bit confused on what this command truly limits/enables. Thanks, Brandon _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify Administrator () Thalescomminc com. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Pass-through VPN Melson, Paul (Oct 01)
- Re: Pass-through VPN Josh Welch (Oct 11)
- <Possible follow-ups>
- RE: Pass-through VPN Fetch, Brandon (Oct 22)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 22)
- RE: Pass-through VPN Hughes, Chris (Oct 25)
- Re: Pass-through VPN Patrick M. Hausen (Oct 26)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 26)