If I add a Deny ACL after all my permit ACL's will a deny any source to port 500 close the port on my PIX 506? I need to keep that port from showing up in a scan to comply with security standards? Also this should not cause a problem with any other traffic right?
On the ASA you can prevent the ASA from responding to UDP 500 by creating an ACL and applying it to the outside with the keyword ''control
This will allow the ACL to check packets intended to the ASA as well as packets going through.
However, not possible on PIXes.
I was told this is a huge security issue. Is this true? What problems will having that port open cause? Also does the ASA platform have this same issue?
Not sure about the ASA because i never tested it. It's not really a huge security issue. Just because the pix will respond on udp port 500 doesn't mean you can then form an IPSEC tunnel ie. you need a lot more information than that to successfully bring up an IPSEC tunnel. That is why you should always select a good preshared key, never e-mail the key etc..
Edit - even though it is not necessarily a huge security issue it would be good if you could indeed stop the pix from responding on that port.
If you're positive that all VPN traffic is being permitted by the ACL, then you can safely remove the sysopt.
If you remove the ''sysopt connection permit-ipsec'' then all VPN traffic is going to be checked by the outside ACL.
By default, when the VPN terminates on the PIX, all traffic encapsulated through the tunnel is permitted (without an ACL) because of the sysopt command above.
If you remove it, you will need to permit on the outside ACL all the VPN traffic explicity.
Like Federico says
Access-list applied on the interface is only for THROUGH the box traffic.
That does not affect "TO" the box traffic like vpn termination, telnet/ssh/asdm TO the box.
You can add this command - sysopt connection permit-ipsec
Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.
Yes, but assuming that ACL is applied to the outside interface (interface where the VPN tunnel terminates)....
You're denying from any source to any destination traffic UDP on destination port 500 (ISAKMP)
The IPsec VPN tunnel terminated on the PIX uses UDP port 500 (ISAKMP) to establish the tunnel.
So, the PIX should be able to listen on UDP port 500 on its outside interface.
I have no PIX here to prove it, but what I'm saying is that the ACL applies only to traffic through the PIX and not to the PIX.
This means that all traffic intended to the PIX itself is not going to be checked by the ACL (only traffic passing through).
If you have an scenario where the IPsec VPN passes through the PIX (then you will need to open UDP 500)
That will block traffic destined to xxx on port 500.
Make sure your ACL lines above that line don't allow it because then the deny line will not be hit.
I hope it helps.
Whatever you specify under an ACL on the PIX is just going to affect traffic passing through the PIX (not to the PIX itself).
So, for VPN traffic terminating on the PIX, the ACLs won't hurt.