sysopt on my pix

atdhingr · ‎09-11-2003

I have the vpn set up between a pix and netscreen and everything works.

I have no control over the netscreen or its network. It has one host and clients on the inside of the pix have to telnet to the host.

I want to make sure that I protect my network from that machine. I know there has to be an access-list on the outside interface of my box...buty for that I have to remove:

sysopt connection permit-ipsec

But I dont want to remove the above command as I will run into trouble with other tunnels running on the PIX.

So my question is:

I want users behind PIX to be able to access a host behind netscreen but dont want that host to access my network behind PIX.... can I do that without removing sysopt.

Thanks in advance

Atul.

mostiguy · ‎09-11-2003

TCP is a 2 way street. You need to allow the telnet server to send replies back to your hosts. That said, you could apply an inbound acl to the inside int of your pix to limit what goes back:

Assume the remote network is 192.168.0.0/24

Assume the remote telnet server is 192.168.0.5

access-list 105 deny ip any 192.168.0.0 255.255.255.0

access-list 105 permit tcp any host 192.168.0.5 eq 23

access-list 105 permit ip any any

this should do what you seek:

line 1 blocks all traffic to their network.

line 2 only allows tcp traffic going to port 23 (telnet) of their telnet server

line 3 allows all traffic that does not match 1 or 2 to pass - this allows all of your other traffic to pass, just like it would before you started restricting outbound data flow (pix default is to allow all out, and block all in)