Firewall Wizards mailing list archives
Re: Pass-through VPN
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)
Hello!
Inbound traffic normally requires an access-list or conduit statement to allow it to pass. But by using the sysopt connection permit-ipsec command, the inbound ipsec traffic bypasses all access-lists and counduits. Since you can't block inbound traffic on the internal interface as you can with a cisco router, the traffic cannot be filtered at this point. To lock this traffic down, use ACLs without using the sysopt command.
What would those ACLs look like? Allow udp ports 500 and 4500?
No, no no ... :-) The point of the "sysopt connection permit-ipsec" command is to pass all traffic that is _in_ the VPN tunnel unchecked by ACLs. The externally visible ESP packets are of course always accepted. Same for IKE and everything else that is necessary for a succesfull IPSec connection. If the sysopt command is active, after establishing a VPN tunnel by e.g. an external software client, this client can tunnel _arbitrary_ IP traffic to the internal LAN. Browse the network neighborhood in a windows environment etc. pp. There may be scenarios when you don't want that. I have one client that wants to give external users access to a cluster of Citrix terminal servers, but nothing else. So this customer has the "sysopt ... permit-ipsec" disabled. Now the IPSec tunnel is still established without any additional rules, the PIX does IKE just the same way, ... only _after_ the tunnel is established the client can't pass traffic through it. Unless you create additional access rules that state e.g. Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA Disabling the sysopt command gives you a finer control of what is allowed _through_ IPSec connections, not control of the connections themselves. Hope that helps, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Pass-through VPN Melson, Paul (Oct 01)
- Re: Pass-through VPN Josh Welch (Oct 11)
- <Possible follow-ups>
- RE: Pass-through VPN Fetch, Brandon (Oct 22)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 22)
- RE: Pass-through VPN Hughes, Chris (Oct 25)
- Re: Pass-through VPN Patrick M. Hausen (Oct 26)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 26)