How to block IKE access to a PIX when using it as a VPN endpoint?

t.baranski · ‎02-19-2003

Hello.

We recently deployed a PIX on our network that serves soley as a VPN endpoint for a single customer. After it was deployed (by someone other than myself) I noticed that port 500 was accessible globally -- I could use a tool called IKE-Scan to get responses from port 500 on the firewall from any IP address.

I'm wondering if there's an easy way to restrict access to this port -- I'd rather not have it open to the world because it's easy to find out what type of device it is by querying port 500. I've never worked with a PIX before, so I don't know if I can simply put an access list on the outside interface to fix this or not. Would it be sufficient to add such an access list that only allows port 500 traffic from authorized IPs?

Thanks,

Terry

gfullage · ‎02-22-2003

Hmm, I don't believe so. I think once you add:

> isakmp enable outside

into your config then that makes the PIX listen on port 500 for incoming connections, overriding the ACL on the outside. Unless the incoming connection has a valid "isakmp key address x.x.x.x ......" command associated with it though, the PIX will not respond to tunnel requests.

How are you determining that "it's easy to find out what type of device it is by querying port 500", since unless you send a valid ISAKMP packet thru from a valid address with a valid key I didn't think you could tell anything. Just port scanning won't tell you anything unless I'm mistaken. I just port-scanned my PIX and it does show port 500 open, but there's no other information than that.