1- Pix 6.3(1) with 2 vpn site-to-site and client vpn on the outside internface.
2- "no sysopt connection permit-ipsec" to better control traffic coming from 2 site-to-site tunnel with access-list on outside interface.
3- vpn client with authentication on tacacs+ with dinamic access-list local defined on Pix.
When a vpn client connects to pix, I can see a dynamic acl "dynaclxx" to permit response from inside network but no dynamic acl on outside interface. Dynamic acl associated by the tacacs+, is active and running and
with "show uauth" command I can see the dynamic acl applied to the user, but I need to insert a static acl line in outside acl to permit traffic coming from vpn client (with sysopt enabled no problem).
The problem is spoofing caused by the static line inserted in the outside acl !
this is the expected behaviour, and you will need to open up that traffic using static entry in the outside (inbound) acl.
Using sysopt avoids such threats, if you want to restrict traffic, you can use inbound ACL on the inside interface(s), or use proper split tunnel list to let clients only encrypt what they are supposed to encrypt.
Afaq, with "no sysopt connection permit-ipsec", do you think I can resolve the threats with radius in the place of tacacs+ ? or with dynamic acl defined on the acs in the place of dynamic acl defined on the pix ?
Actually, no dynamic acl (defined on the pix and recalled by the acs) are added to the outside static access-list during the vpn client session.
With "sysopt connection permit-ipsec" I have no problem but I can see a reduced control on site-to-site vpn.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...