Firewall Wizards mailing list archives

Re: Pass-through VPN

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)

Hello!

Inbound traffic normally requires an access-list or conduit statement to
allow it to pass.

But by using the sysopt connection permit-ipsec command, the inbound
ipsec traffic bypasses all access-lists and counduits.

Since you can't block inbound traffic on the internal interface as you
can with a cisco router, the traffic cannot be filtered at this point.

To lock this traffic down, use ACLs without using the sysopt command.

What would those ACLs look like?  Allow udp ports 500 and 4500?


No, no no ... :-)

The point of the "sysopt connection permit-ipsec" command is to
pass all traffic that is _in_ the VPN tunnel unchecked by ACLs.
The externally visible ESP packets are of course always accepted.
Same for IKE and everything else that is necessary for a succesfull
IPSec connection.

If the sysopt command is active, after establishing a VPN tunnel
by e.g. an external software client, this client can tunnel
_arbitrary_ IP traffic to the internal LAN. Browse the network
neighborhood in a windows environment etc. pp.

There may be scenarios when you don't want that. I have one client
that wants to give external users access to a cluster of Citrix
terminal servers, but nothing else. So this customer has the
"sysopt ... permit-ipsec" disabled.
Now the IPSec tunnel is still established without any additional
rules, the PIX does IKE just the same way, ... only _after_ the
tunnel is established the client can't pass traffic through
it. Unless you create additional access rules that state e.g.

Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA

Disabling the sysopt command gives you a finer control of what is
allowed _through_ IPSec connections, not control of the connections
themselves.

Hope that helps,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Pass-through VPN Melson, Paul (Oct 01)
- Re: Pass-through VPN Josh Welch (Oct 11)
- <Possible follow-ups>
- RE: Pass-through VPN Fetch, Brandon (Oct 22)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 22)
- RE: Pass-through VPN Hughes, Chris (Oct 25)
  - Re: Pass-through VPN Patrick M. Hausen (Oct 26)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 26)