Blocking IPsec/IKE traffic to external PIX interface
I have a tipical PIX-2-PIX (site-2-site) VPN tunnel established and working fine. However, I don't want to allow everybody on the Internet to chat ESP/IKE with my VPN peer/firewall.
Can this be blocked at all? I've tried permitting all ESP and 500/UDP only from trusted VPN peers on my external interface (with my external IP as the destination) and blocking everything else, but it didn't work.
Re: Blocking IPsec/IKE traffic to external PIX interface
Any host can try to initiate an IKE negotation to my firewall's external interface/address. Sure, they don't know the pre-share key, but it can be guessed.
Having 'no sysopt connection permit-ipsec' and ACLs on outside interface is enough for protecting traffic going to hosts in the VPN protected domains, but not to the firewall itself. AFAIK, you can't limit IKE negotations to particular hosts. This is bad, IMHO.
Any chance this can be changed in future PIX versions?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...