Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking IPsec/IKE traffic to external PIX interface

I have a tipical PIX-2-PIX (site-2-site) VPN tunnel established and working fine. However, I don't want to allow everybody on the Internet to chat ESP/IKE with my VPN peer/firewall.

Can this be blocked at all? I've tried permitting all ESP and 500/UDP only from trusted VPN peers on my external interface (with my external IP as the destination) and blocking everything else, but it didn't work.

I have 'no sysopt permit-ipsec'. in my config.


Cisco Employee

Re: Blocking IPsec/IKE traffic to external PIX interface

What "didn't work"? What happened? Disabling "sysopt connection permit-ipsec" and adding an outside ACL only allowing IPSec traffic should be enough.

Keep in mind also that unless a host has a valid isakmp key defined (which in your case with just L2L tunnels it should not), then they won't get very far through the negotiation.

New Member

Re: Blocking IPsec/IKE traffic to external PIX interface

Any host can try to initiate an IKE negotation to my firewall's external interface/address. Sure, they don't know the pre-share key, but it can be guessed.

Having 'no sysopt connection permit-ipsec' and ACLs on outside interface is enough for protecting traffic going to hosts in the VPN protected domains, but not to the firewall itself. AFAIK, you can't limit IKE negotations to particular hosts. This is bad, IMHO.

Any chance this can be changed in future PIX versions?

New Member

Re: Blocking IPsec/IKE traffic to external PIX interface

This is why we use certificates for our authentication. You can use the free certificate server in Win2k to do it. We happen to use Verisign because we built this before MS was supported.