03-28-2007 05:26 AM - edited 03-11-2019 02:52 AM
Hi,
I have a Cisco PIX 525 (v6.3(4)) that I would like to enable remote access via a IPSec VPN. That part of the config I have found on the cisco website and believe I have a solution.
The PIX is configured with 3 interfaces (inside, outside & DMZ). When a user makes a VPN connection I would like to restrict the user access to a DMZ server only. I do not want to allow access to the internal network.
I haven't found any documentation to do this?
Can it be done?
Many thanks,
Carl.
03-28-2007 11:24 PM
All,
Do you think that this is even possible?
Thanks.
03-29-2007 08:04 AM
Hi Carl,
Yes, this is possible. You need to disable "sysopt connection permit-ipsec". With this command disabled, you need to write your interface ACL to allow the decrypted traffic wherever you want it.
For you, this will be traffic sourced from the VPN pool destined to your DMZ server, and then deny all other traffic from your VPN pool IPs to anywhere. This ACL needs to be applied to the interface that is terminating your IPSec tunnel (I assume the outside).
Hope it helps,
David.
03-29-2007 11:36 AM
Thanks for this David.
As ACLs are applied inbound, how will this work? My thinking is that once the VPN tunnel is terminated on the PIX, which inbound interface will the ACL be applied to?
I intended in assigning a VPN pool from the dmz subnet.
Many thanks.
03-29-2007 12:08 PM
You can write the acl inbound to outside interface or outbound of inside or dmz interface. Do not make the vpn pool the same as your dmz subnet, it should be completely different.
03-29-2007 12:09 PM
Without the sysopt, after the packet is decrypted, it passes back through the same interface ACL (the interface on which the tunnel was terminated - typically this is the outside interface).
I would assign a VPN pool that is unique, and not apart of any interface network.
Sincerely,
David.
03-29-2007 12:20 PM
Ah ok.
Got it thanks guys, very much appreciated.
So ACL on outside interface and seperate VPN pool.
Easy ;o)
03-29-2007 12:25 PM
Don't forget, once you remove sysopt conn permit-ipsec, that will apply to all your ipsec traffic. You will also have to specifically permit udp 500, esp etc. on your outside interface for the connections as well.
04-02-2007 07:31 AM
Thanks for your help guys.
I have spent the past few days searching for port/protocols I need to open to allow the tunnel to establish when using no sysopt conn permit-ipsec with no success.
So far I have the following:
UDP 500 for ISAKMP
But am unsure what to use for ESP:
ah-esp-encap 2070/tcp AH and ESP Encapsulated in UDP packet
esp-encap 2797/tcp esp-encap
any other type of traffic specific to the tunnel I also need to include?
Many thanks once again.
Carl.
04-02-2007 08:04 AM
ESP is the protocol, not the port. For example...
access-list 101 permit udp any interface outside eq isakmp
access-list 101 permit esp any interface outside
also if you have remote vpn clients requiring nat-traversal, you would want to add udp 4500.
04-02-2007 08:54 AM
For traffic that is terminated on the PIX (as is the case of IPSec), interface ACLs do not apply. Therefore, there is no reason to permit isakmp (UDP/500) or ESP (protocol 50) in the interface ACL.
Again, interface ACLs only apply to transient traffic, not traffic that is terminated on the firewall.
Sincerely,
David.
04-02-2007 09:28 AM
Hi David,
I'm a little confused at the moment, but hopefully this will be the last post.
My setup:
1.1.1.1 (Internet users, outside)
192.168.0.0/24 (DMZ network, dmz)
10.0.0.0/24 (Internal network, inside)
192.168.1.0/24 (VPN pool)
Traffic flows - A user establishes an IPSec tunnel to my PIX to allow telnet to a server in the DMZ.
When using no sysopt connection permit-ipsec, my outside acl should include the following entries?:
access-list outside_in permit tcp 192.168.1.0 255.255.255.0 host 192.168.0.100 eq telnet
access-group outside_in in interface outside
(The source IP given here is the VPN pool, not the internet address. Correct?)
I do not require anything additional for esp, isakmp etc?
Many thanks.
04-02-2007 10:04 AM
Correct on both accounts.
David.
04-02-2007 09:37 AM
Yes, source would be private address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: