Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
5
Helpful
2
Replies

Filtering de-crypted VPN traffic terminating on the PIX

davelockerby
Level 1
Level 1

‎03-18-2003 08:05 AM - edited ‎02-21-2020 12:25 PM

After searching Cisco's website, reading posts on this board and other boards, and reading a limited number of good books on the Cisco PIX firewall, I still have a question that I cannot definitively answer for myself.

Scenario: PIX 525 site-to-site VPN with Checkpoint NG 650 firewall as the remote VPN peer.

Goal: Limit inbound, de-crypted traffic from the network behind the remote VPN peer to access only specific hosts and ports on the network behind the PIX 525 firewall.

Question: What is the best way (or options) to accomplish the above goal?

1. Is it better to use the "sysopt connection permit-ipsec" command to allow IPSec VPN traffic to "by-pass" inbound ACLs on the outside interface as well as the ACLs that "define" which traffic is to be tunneled between the PIX firewall and Checkpoint NG 650 firewall?

OR

2. Is it better to configure the PIX without the sysopt connection permit-ipsec command and instead utilize an inbound ACL to filter both IPSec VPN traffic (based on source, destination and ports) and the decrypted traffic (based on source, destination and ports) ? Is my understanding correct, with this option, that once VPN traffic is processed and authenticated that the decrypted traffic must meet the filter conditions defined in the inbound access-list applied to the outside interface on the PIX firewall?

I'm aware that Cisco recommends using the "sysopt connection permit-ipsec" command because not doing so can lead to high processor utilization.

For the project at hand, the importance of limiting the decrypted traffic to only certain hosts and ports outweighs porcessor utilization.

Thanks in advance for any and all posts regarding this matter!

Labels:
0 Helpful
2 Replies 2

afakhan
Level 4
Level 4

‎03-19-2003 02:24 PM

Hi,

Ans1: your understanding is right.

Ans2:your understanding abt the ACL processing seems right.

I'd like to add some more to it:

1 - configure port based ipsec cyrpto ACLs b/w the two devices, to make sure that you encrypt/decrypt only what you want, but in case of CheckPoint, it may have some problems.

2- you can filter traffic inbound/outbound on the inside pix interface as well to limit it to certain ports/IPs.

my 2 cents.

Thanks - Afaq

davelockerby
Level 1
Level 1
In response to afakhan

‎03-20-2003 05:38 AM

Thanks Afaq.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents