I'm running a site-to-site VPN at Cisco PIX, and when I scaned my pix i see port 1723 open, now i what i want is to filtre it and allow only my other vpn server to access it and no one else, so i need to write 2 rules, one which will allow other vpn server to access my vpn server and another deny everyone else,
now the problem thats i'm having is i'm allowing or denying traffic from internet to my outside interface due to my outside interface is the one that face internet, problem itself is i can't create a rule which is
deny any port pptp to my outside port pptp
no communication is allowed between two interfaces which have same security level
how whould i go about it? how do i deny traffic from internet? to my outside interface?
Unfortunately, you cannot do this. As soon as you configure the PIX to terminate PPTP connections from clients, the PIX starts listening on TCP/1723. Access-lists on the PIX only affect traffic *through* the PIX rather than *to* the PIX. Ideally, you would want to have another device inside the PIX terminating the PPTP tunnels and let the PIX filter which devices were allowed to even get to the PPTP server. However, this is not a cost-effective solution in a lot of cases. The behavior you have seen is a side-effect of enabling services on a firewall rather than letting it just be a firewall. Hope this helps explain.
well.. i mean what good is this firewall for if you can't filter anything there? vpn (pptp) was just an example.. let's say i want to filter another port.. or i mean.. what can I filter? i just dont understand..
What Scott is trying to say is, if you really want the PIX to be able to filter all traffic traversing it, you need to stop using it as a device other than a firewall (i.e. a VPN server...). Basically, don't use it for VPN connections, don't use it for DHCP, and dont use any services other than the firewall itself... When you activate this service, you are (like you have discovered), limiting your ability to control all traffic your PIX will receive.
If you are really concerned with ultimate control (which you should be if you are security minded), either start using a Microsoft VPN server on the inside of the pix, that way you can control at the IP level which machines can make a connection to 1723 to the VPN server's IP. Or, you can place a second pix in front of your existing one, which will act as your true first line of defense.
Now, I have to say, I enjoy the fact that PPTP is a service option on the pix, but it would also be nice if Cisco could update the IOS so that any enabled services on the PIX itself sit behind the firewall process, then access-lists can protect the PIX's other services.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...