Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
3
Helpful
3
Replies

Interpret what is allowed over the VPN tunnel

Go to solution
khuysmans
Level 1
Level 1

‎02-15-2006 05:27 AM - edited ‎02-21-2020 02:15 PM

Hello,

I am working with Cisco PIX equipment for the first time and I am trying to figure out what is being allowed over one of the VPN tunnels which are being established on the PIX.

I am interpreting what this PIX does by reading the running configuration. I managed to understand most of it (with the help of the cisco site), so I'm starting to get comfortable with it. I am looking for some help interpreting what is being allowed over a VPN tunnel though. Here are some details:

crypto map ANTsa 2 ipsec-isakmp

crypto map ANTsa 2 match address acl-vpntalk

access-list acl-vpntalk permit ip object-group my_inside_network 172.17.144.0 255.255.255.0

So if I interpret this correctly, then traffic matching ACL acl-vpntalk will go over the VPN tunnel.

As far as other access lists go, on my inside interface I have:

access-group acl-inside in interface inside

acl-inside being:

access-list acl-inside permit ip any any

So nothing fancy there.

Now, just considering all of this I am concluding that I am allowing any and all traffic coming from the remote network into my site. So all traffic from 172.17.144.0/24 is being allowed to reach my network.

However, I am not sure if that conclusion is correct.

This ACL is applied too:

access-group acl-outside in interface outside

And it looks like:

access-list acl-outside deny ip any any

I am uncertain if this ACL is also applied to traffic coming from the IPSEC peer. It is for sure incoming on the outside interface, but whether this is valid for IPSEC traffic I do not know.

If it is valid, then am I correct to conclude that only connections initiated from my inside network towards the remote will be allowed back?

Thanks in advance for your thoughts.

With kind regards,

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scheikhnajib
Level 1
Level 1

‎02-15-2006 07:13 AM

Hi Kevin,

Here are my comments, hope you find them helpful:

1. the ACL called "acl-vpntalk" defines the traffic that will travel the IPSec tunnel, so you got this right. All traffic from the group that is named "my_inside_network" going to 172.17.144.0/24 will go through the tunnel, and there should be a similar reversed ACL on the other VPN end.

2. The "acl-inside" applied to the inside interface allows any outbound ip traffic from the isnide to any destination.

3. The "acl-outside" denies all traffic from getting into your inside network, but the IPSec traffic will be exempt and will pass through since you will find a command "sysopt connection permit-ipsec" configured on your PIX which tells the OS to allow any traffic terminating on VPN tunnels without explicitely allowing it through the inbound ACL. if you stopped the "sysopt" your traffic should stop and you will have more control over your tunnel traffic.

Personally, I usually disable the "sysopt" and control the VPN traffic within my inbound ACL.

Just a quick note, if you look deeper into the ACL functionality on the PIX, you will find that no traffic will move to the inside if it was not allowed on the outside interface. For instance, you might allow traffic between "inside" and "dmz" interfaces by adding an "allow" entry on one of the ACLs applied on one of these interfaces. But when you want to allow traffic to come from the outside interface (security level 0), you will need to allow it in the inbound ACL applied on the outside interface.

I might have written some vague stuff, but hopefully you get my point.

Thanks.

Salem.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
scheikhnajib
Level 1
Level 1

‎02-15-2006 07:13 AM

Hi Kevin,

Here are my comments, hope you find them helpful:

1. the ACL called "acl-vpntalk" defines the traffic that will travel the IPSec tunnel, so you got this right. All traffic from the group that is named "my_inside_network" going to 172.17.144.0/24 will go through the tunnel, and there should be a similar reversed ACL on the other VPN end.

2. The "acl-inside" applied to the inside interface allows any outbound ip traffic from the isnide to any destination.

3. The "acl-outside" denies all traffic from getting into your inside network, but the IPSec traffic will be exempt and will pass through since you will find a command "sysopt connection permit-ipsec" configured on your PIX which tells the OS to allow any traffic terminating on VPN tunnels without explicitely allowing it through the inbound ACL. if you stopped the "sysopt" your traffic should stop and you will have more control over your tunnel traffic.

Personally, I usually disable the "sysopt" and control the VPN traffic within my inbound ACL.

Just a quick note, if you look deeper into the ACL functionality on the PIX, you will find that no traffic will move to the inside if it was not allowed on the outside interface. For instance, you might allow traffic between "inside" and "dmz" interfaces by adding an "allow" entry on one of the ACLs applied on one of these interfaces. But when you want to allow traffic to come from the outside interface (security level 0), you will need to allow it in the inbound ACL applied on the outside interface.

I might have written some vague stuff, but hopefully you get my point.

Thanks.

Salem.

0 Helpful

Go to solution
khuysmans
Level 1
Level 1
In response to scheikhnajib

‎02-15-2006 08:04 AM

Dear Salem,

You were correct in assuming that there was a "sysopt connection permit-ipsec" in the configuration. I suspected that it was set up like that, but this "sysopt" line was unknown to me.

In any case, you clearly explained me how to interpret what traffic was going over the tunnel (in both directions). Thanks.

I have been reading something about how the PIX handles allowing traffic between interfaces of a different security level. It wasn't immediately clear to me, I'll have to read about it some more.

Again, thanks for your feedback, it was a great help.

Maybe one more thing though, let's say I disable that "sysopt" and want to define what traffic I allow incoming from the VPN tunnel, do I define this ACL on the outside interface then? I need the PIX to decrypt the packet before matching it against the ACL. And unless I am mistaken, the ACL on the outside interface will make the PIX match the traffic to the encrypted ESP traffic.

Any thoughts?

With kind regards,

Kevin Huysmans

0 Helpful

Go to solution
mgaysek
Level 1
Level 1

‎02-15-2006 08:13 AM

Do a show sysopt

If you see this in the output

sysopt connection permit-ipsec

then your outside access-list does not apply to your crypto map and you are allowing all trafic from the remote site into your network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents