We are using a PIX firewall for site-to-site VPN's. How do we protect our network from the remote network being infected with Blaster without limiting the VPN to certain protocols. Our VPN ACL's are similar to the following:
access-list vpn permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Remove the "sysopt connection permit-ipsec" command and then update/create the access-list on the outside interface (or whatever interface you're terminating the VPN on) to block the Blaster ports from the remote LAN(s) and permit everything else. Wihtout the above sysopt command the traffic through the VPN is subject to the same acccess-list processing as other traffic, which allows you to control what can traverse the VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...