We have users who are on our private network behind our PIX 520. Users can connect to our clients PIX firewalls using the Cisco VPN Client if we perform the following steps:
1. Reserve a private IP address for their workstation on the DHCP server.
2. Statically assign a public IP address to the private IP address reserved.
3. Create a conduit allowing the ESP protocol from the clients public IP address on their PIX to the public IP address setup in step 2.
Question- what are the risks if ESP protocol were opened from any public IP address to any host behind our PIX? I am not comfortable opening this up but have not been able to find any details regarding potential risks that have satisfied management. Any help would be welcome. Thanks
The risks are minimal really, but I'm always hesitant to open any hole in a firewall unless you have to. Opening up ESP to any internal host is really not going to get anyone anywhere, because they first have to establish a tunnel using ISAKMP, so if you don't open that up you'll be pretty safe.
The reason you don't need to create a conduit for ISAKMP (in case you're wondering), is that ISAKMP is a UDP protocol. The PIX automatically creates conduits for TCP or UDP packets as they go out (from inside to outside), and allows those packets to come back in. ESP on the other hand, sits right on top of IP (is not TCP/UDP based),and so the PIX doesn't open a hole for that traffic to come back in, hence you have to specifically create a conduit for it.
As I said though, if you're now talking about traffic originating from the outside and coming in, you've only allowed ESP and not ISAKMP, so the risk of anyone starting a VPN tunnel to an internal host is negligible.
As I also said though, it is another hole in your firewall, so the more secure you can make it, by specifying the source and/or destination addresses, then the better that will be.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...