Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
13
Replies

PIX (v6.3) Remote Access IPSec VPN - limit access once established

carl.forbes
Level 1
Level 1

‎03-28-2007 05:26 AM - edited ‎03-11-2019 02:52 AM

Hi,

I have a Cisco PIX 525 (v6.3(4)) that I would like to enable remote access via a IPSec VPN. That part of the config I have found on the cisco website and believe I have a solution.

The PIX is configured with 3 interfaces (inside, outside & DMZ). When a user makes a VPN connection I would like to restrict the user access to a DMZ server only. I do not want to allow access to the internal network.

I haven't found any documentation to do this?

Can it be done?

Many thanks,

Carl.

Labels:
0 Helpful
13 Replies 13

carl.forbes
Level 1
Level 1

‎03-28-2007 11:24 PM

All,

Do you think that this is even possible?

Thanks.

0 Helpful

David White
Cisco Employee
Cisco Employee

‎03-29-2007 08:04 AM

Hi Carl,

Yes, this is possible. You need to disable "sysopt connection permit-ipsec". With this command disabled, you need to write your interface ACL to allow the decrypted traffic wherever you want it.

For you, this will be traffic sourced from the VPN pool destined to your DMZ server, and then deny all other traffic from your VPN pool IPs to anywhere. This ACL needs to be applied to the interface that is terminating your IPSec tunnel (I assume the outside).

Hope it helps,

David.

0 Helpful

carl.forbes
Level 1
Level 1
In response to David White

‎03-29-2007 11:36 AM

Thanks for this David.

As ACLs are applied inbound, how will this work? My thinking is that once the VPN tunnel is terminated on the PIX, which inbound interface will the ACL be applied to?

I intended in assigning a VPN pool from the dmz subnet.

Many thanks.

0 Helpful

acomiskey
Level 10
Level 10
In response to carl.forbes

‎03-29-2007 12:08 PM

You can write the acl inbound to outside interface or outbound of inside or dmz interface. Do not make the vpn pool the same as your dmz subnet, it should be completely different.

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to carl.forbes

‎03-29-2007 12:09 PM

Without the sysopt, after the packet is decrypted, it passes back through the same interface ACL (the interface on which the tunnel was terminated - typically this is the outside interface).

I would assign a VPN pool that is unique, and not apart of any interface network.

Sincerely,

David.

0 Helpful

carl.forbes
Level 1
Level 1
In response to David White

‎03-29-2007 12:20 PM

Ah ok.

Got it thanks guys, very much appreciated.

So ACL on outside interface and seperate VPN pool.

Easy ;o)

0 Helpful

acomiskey
Level 10
Level 10
In response to carl.forbes

‎03-29-2007 12:25 PM

Don't forget, once you remove sysopt conn permit-ipsec, that will apply to all your ipsec traffic. You will also have to specifically permit udp 500, esp etc. on your outside interface for the connections as well.

0 Helpful

carl.forbes
Level 1
Level 1
In response to acomiskey

‎04-02-2007 07:31 AM

Thanks for your help guys.

I have spent the past few days searching for port/protocols I need to open to allow the tunnel to establish when using no sysopt conn permit-ipsec with no success.

So far I have the following:

UDP 500 for ISAKMP

But am unsure what to use for ESP:

ah-esp-encap 2070/tcp AH and ESP Encapsulated in UDP packet

esp-encap 2797/tcp esp-encap

any other type of traffic specific to the tunnel I also need to include?

Many thanks once again.

Carl.

0 Helpful

acomiskey
Level 10
Level 10
In response to carl.forbes

‎04-02-2007 08:04 AM

ESP is the protocol, not the port. For example...

access-list 101 permit udp any interface outside eq isakmp

access-list 101 permit esp any interface outside

also if you have remote vpn clients requiring nat-traversal, you would want to add udp 4500.

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to acomiskey

‎04-02-2007 08:54 AM

For traffic that is terminated on the PIX (as is the case of IPSec), interface ACLs do not apply. Therefore, there is no reason to permit isakmp (UDP/500) or ESP (protocol 50) in the interface ACL.

Again, interface ACLs only apply to transient traffic, not traffic that is terminated on the firewall.

Sincerely,

David.

0 Helpful

carl.forbes
Level 1
Level 1
In response to David White

‎04-02-2007 09:28 AM

Hi David,

I'm a little confused at the moment, but hopefully this will be the last post.

My setup:

1.1.1.1 (Internet users, outside)

192.168.0.0/24 (DMZ network, dmz)

10.0.0.0/24 (Internal network, inside)

192.168.1.0/24 (VPN pool)

Traffic flows - A user establishes an IPSec tunnel to my PIX to allow telnet to a server in the DMZ.

When using no sysopt connection permit-ipsec, my outside acl should include the following entries?:

access-list outside_in permit tcp 192.168.1.0 255.255.255.0 host 192.168.0.100 eq telnet

access-group outside_in in interface outside

(The source IP given here is the VPN pool, not the internet address. Correct?)

I do not require anything additional for esp, isakmp etc?

Many thanks.

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to carl.forbes

‎04-02-2007 10:04 AM

Correct on both accounts.

David.

0 Helpful

acomiskey
Level 10
Level 10
In response to David White

‎04-02-2007 09:37 AM

Yes, source would be private address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card