Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
3
Replies

PIX's firewall rule

alexus
Level 1
Level 1

‎01-23-2004 08:42 AM - edited ‎02-20-2020 11:12 PM

Hello

I'm running a site-to-site VPN at Cisco PIX, and when I scaned my pix i see port 1723 open, now i what i want is to filtre it and allow only my other vpn server to access it and no one else, so i need to write 2 rules, one which will allow other vpn server to access my vpn server and another deny everyone else,

now the problem thats i'm having is i'm allowing or denying traffic from internet to my outside interface due to my outside interface is the one that face internet, problem itself is i can't create a rule which is

deny any port pptp to my outside port pptp

it's saying

no communication is allowed between two interfaces which have same security level

how whould i go about it? how do i deny traffic from internet? to my outside interface?

thanks in advance

0 Helpful
3 Replies 3

scoclayton
Level 7
Level 7

‎01-23-2004 12:56 PM

Hi,

Unfortunately, you cannot do this. As soon as you configure the PIX to terminate PPTP connections from clients, the PIX starts listening on TCP/1723. Access-lists on the PIX only affect traffic *through* the PIX rather than *to* the PIX. Ideally, you would want to have another device inside the PIX terminating the PPTP tunnels and let the PIX filter which devices were allowed to even get to the PPTP server. However, this is not a cost-effective solution in a lot of cases. The behavior you have seen is a side-effect of enabling services on a firewall rather than letting it just be a firewall. Hope this helps explain.

Scott

0 Helpful

alexus
Level 1
Level 1
In response to scoclayton

‎01-23-2004 11:20 PM

well.. i mean what good is this firewall for if you can't filter anything there? vpn (pptp) was just an example.. let's say i want to filter another port.. or i mean.. what can I filter? i just dont understand..

0 Helpful

jdepies
Level 1
Level 1
In response to alexus

‎01-25-2004 12:15 AM

Alexus,

What Scott is trying to say is, if you really want the PIX to be able to filter all traffic traversing it, you need to stop using it as a device other than a firewall (i.e. a VPN server...). Basically, don't use it for VPN connections, don't use it for DHCP, and don’t use any services other than the firewall itself... When you activate this service, you are (like you have discovered), limiting your ability to control all traffic your PIX will receive.

If you are really concerned with ultimate control (which you should be if you are security minded), either start using a Microsoft VPN server on the inside of the pix, that way you can control at the IP level which machines can make a connection to 1723 to the VPN server's IP. Or, you can place a second pix in front of your existing one, which will act as your true first line of defense.

Now, I have to say, I enjoy the fact that PPTP is a service option on the pix, but it would also be nice if Cisco could update the IOS so that any enabled services on the PIX itself sit behind the firewall process, then access-lists can protect the PIX's other services.

Jeff

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card