Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Limiting inbound ports encapsulated within IPSEC

Using a PIX with version 6.2

Terminating a tunnel using IPSEC.

What is the best way to limit inbound ports?

Say the far end of the tunnel is terminated on a partner firewall. I want to allow in https over the tunnel, and only https.

Since the PIX uses only inbound access lists, how can I filter for https?

The inbound access-lists on the outside interface will limit the traffic to only IPSec (or using 'sysopt connection permit-ipsec'), but there doesn't seem to be a limiting filter after that.

The only limits appear to be the ACL used to match the addresses that are encrypted between. Will this limit by port inbound or is it already in the state-table since it was initiated from the far side?

This looks like it could limit what is initiated out to the remote network but not what is initiated in from the remote network. This is troublesome because that would force me to rely on them limiting at their end to protect my security.

Thanks for any help,

Scot

4 REPLIES
New Member

Re: Limiting inbound ports encapsulated within IPSEC

Scot,

What you will have to do here is remove the sysopt connection permit-ipsec from your pix and use access-list to filter traffic from the outside in. You wont be able to restrict the traffic on the inside interface from returning because once the traffic goes from the outside to the inside, it will be allowed back out even if you set up a deny ip any any. Not quite as dynamic, but it will get the job done with what you are looking to do. Since removing the sysopt command, you will have to create access-list for any other vpn tunnels that need different access. Other option is to filter the traffic on a router or something on the inside of your pix. Bleh.

Kurtis Durrett

New Member

Re: Limiting inbound ports encapsulated within IPSEC

Kurtis,

But won't that just allow me to filter on udp500 and protocols 50 and 51? Since that is what they are encapsulated in when they hit the external interface.

The traffic hits the outside interface as protocol 50, I have an ACL permitting IP Protocol 50, then the firewall decrypts it, way to filter?, the firewall routes it.

I'm looking for a way to filter traffic after it's been decrypted but before it is forwarded out any of the other interfaces.

Thanks,

Scot

New Member

Re: Limiting inbound ports encapsulated within IPSEC

Scot,

If you remove sysopt connection permit-ipsec thats exactly what will happen. The traffic will be decrypted and still has to go through that access-group applied to the outside interface. You dont need to permit esp or isakmp through the pix, the pix will still terminate the tunnel. An access-list with those entries would only be for passthrough the pix and not for terminating on the pix. The sysopt command is to allow all traffic thats basically decrypted through the tunnel to continue on through the pix. Remove that command and you will now have to have an access-list to permit that traffic. Guarantee it. Your access-list will have to permit the remote inside network, even if its private, to your inside network, even if its private as well. Unless you actually nat the traffic, seen that several times.

Kurtis Durrett

New Member

Re: Limiting inbound ports encapsulated within IPSEC

Kurtis,

Thanks. Will try it. Thanks.

Scot.

96
Views
5
Helpful
4
Replies
CreatePlease to create content