Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Filter on VPN3002 (Hardware Client)

Dear All,

Got questions regarding VPN3002`s security. VPN3002 doesn`t be able to set filters for the interfaces to be able to limit what packet type are denied/permitted on the interfaces. I look on the "CONFIG" file, it has some entries for filters, but those filters are not be able to be configured from Web UI. Does anyone know tricks on how to configure filters on VPN3002 ?

Regards,

Engel

2 REPLIES
Cisco Employee

Re: Filter on VPN3002 (Hardware Client)

Hi Engel,

Good question. Actually the 3002 being a Hardware client is the one which is the Initiator everytime and by default only VPN traffic is allowed on the outside interface. So generally there is no need to put filters and hence there was no option added to it. You can go ahead and add a PIX501 for further security aswell.

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: Filter on VPN3002 (Hardware Client)

I think it is not only allowed VPN traffic , but ICMP "echo" and "echo-reply" are allowed also. And the following is snippet from the CONFIG file, it looks like it forward any packet to any destination with a source from IP address of public interface. I don`t find any "deny" all entry on the config for public interface, or does it follow Cisco router`s concept to add an unvisible deny all ?

[filterrules 3]

name=Public -> Any, Forward (7)

direction=2

saddr=2.2.2.100

smask=0.0.0.0

daddr=0.0.0.0

dmask=255.255.255.255

sportlow=0

sporthigh=65535

dportlow=0

dporthigh=65535

typelow=0

typehigh=255

protocol=255

action=2

established=2

slist=0

dlist=0

Best Regards,

Engel

96
Views
0
Helpful
2
Replies
CreatePlease to create content