Firewall Wizards mailing list archives

RE: Pass-through VPN

From: "Catalina Scott Contr AFCA/EVEO" <scott.catalina () scott af mil>
Date: Fri, 22 Oct 2004 11:49:07 -0500

Inbound traffic normally requires an access-list or conduit statement to
allow it to pass.

But by using the sysopt connection permit-ipsec command, the inbound
ipsec traffic bypasses all access-lists and counduits.

Since you can't block inbound traffic on the internal interface as you
can with a cisco router, the traffic cannot be filtered at this point.

To lock this traffic down, use ACLs without using the sysopt command.

-Scott

-----Original Message-----
From: Fetch, Brandon [mailto:BFetch () texpac com] 
Sent: Monday, October 18, 2004 1:16 PM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Pass-through VPN


To make sure I'm understand this correctly...

PIX terminates a VPN on it's outside interface, or any interface with an
Internet addressable address With the sysopt command, traffic that
passes through that VPN tunnel from the remote site is not able to be
ACL'ed appropriately?

But would it not be ACL'able through it's source/destination components?
Source being the remote site's LAN address, destination being someplace
else behind the PIX.

Just a bit confused on what this command truly limits/enables.


Thanks,
Brandon

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Pass-through VPN Melson, Paul (Oct 01)
- Re: Pass-through VPN Josh Welch (Oct 11)
- <Possible follow-ups>
- RE: Pass-through VPN Fetch, Brandon (Oct 22)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 22)
- RE: Pass-through VPN Hughes, Chris (Oct 25)
  - Re: Pass-through VPN Patrick M. Hausen (Oct 26)
- RE: Pass-through VPN Catalina Scott Contr AFCA/EVEO (Oct 26)