Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
5
Helpful
4
Replies

Limiting inbound ports encapsulated within IPSEC

scothartman
Level 1
Level 1

‎11-12-2002 03:31 PM - edited ‎02-21-2020 12:10 PM

Using a PIX with version 6.2

Terminating a tunnel using IPSEC.

What is the best way to limit inbound ports?

Say the far end of the tunnel is terminated on a partner firewall. I want to allow in https over the tunnel, and only https.

Since the PIX uses only inbound access lists, how can I filter for https?

The inbound access-lists on the outside interface will limit the traffic to only IPSec (or using 'sysopt connection permit-ipsec'), but there doesn't seem to be a limiting filter after that.

The only limits appear to be the ACL used to match the addresses that are encrypted between. Will this limit by port inbound or is it already in the state-table since it was initiated from the far side?

This looks like it could limit what is initiated out to the remote network but not what is initiated in from the remote network. This is troublesome because that would force me to rely on them limiting at their end to protect my security.

Thanks for any help,

Scot

Labels:
0 Helpful
4 Replies 4

kdurrett
Level 3
Level 3

‎11-14-2002 08:57 AM

Scot,

What you will have to do here is remove the sysopt connection permit-ipsec from your pix and use access-list to filter traffic from the outside in. You wont be able to restrict the traffic on the inside interface from returning because once the traffic goes from the outside to the inside, it will be allowed back out even if you set up a deny ip any any. Not quite as dynamic, but it will get the job done with what you are looking to do. Since removing the sysopt command, you will have to create access-list for any other vpn tunnels that need different access. Other option is to filter the traffic on a router or something on the inside of your pix. Bleh.

Kurtis Durrett

scothartman
Level 1
Level 1
In response to kdurrett

‎11-14-2002 12:51 PM

Kurtis,

But won't that just allow me to filter on udp500 and protocols 50 and 51? Since that is what they are encapsulated in when they hit the external interface.

The traffic hits the outside interface as protocol 50, I have an ACL permitting IP Protocol 50, then the firewall decrypts it, way to filter?, the firewall routes it.

I'm looking for a way to filter traffic after it's been decrypted but before it is forwarded out any of the other interfaces.

Thanks,

Scot

0 Helpful

kdurrett
Level 3
Level 3
In response to scothartman

‎11-14-2002 01:19 PM

Scot,

If you remove sysopt connection permit-ipsec thats exactly what will happen. The traffic will be decrypted and still has to go through that access-group applied to the outside interface. You dont need to permit esp or isakmp through the pix, the pix will still terminate the tunnel. An access-list with those entries would only be for passthrough the pix and not for terminating on the pix. The sysopt command is to allow all traffic thats basically decrypted through the tunnel to continue on through the pix. Remove that command and you will now have to have an access-list to permit that traffic. Guarantee it. Your access-list will have to permit the remote inside network, even if its private, to your inside network, even if its private as well. Unless you actually nat the traffic, seen that several times.

Kurtis Durrett

0 Helpful

scothartman
Level 1
Level 1
In response to kdurrett

‎11-14-2002 04:03 PM

Kurtis,

Thanks. Will try it. Thanks.

Scot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents