Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1516
Views
0
Helpful
3
Replies

understanding access-list on pix

aalbler
Level 1
Level 1

‎10-27-2001 07:25 AM - edited ‎02-20-2020 09:53 PM

Hi,

I´m a little bit confused about acccess-lists on the ix.

My questions:

a) Does an access-list on an inside (higher security interface contain a implicit (not viewable) "deny any any" statement?

b) Assume IPSEC clients are terminated on the outside interface and sysopt conn permit-ipsec is set:

1) Can IPSec users access the whole network? (all interfaces on the pix)

Are static/nat statements for the inside networks necessary to gain access from the ipsec users ip range?

2) Do I have to permit anything on the access-lists of my inside interface(s) (including DMZ)?

3) What would happen if sysopt conn permit-ipsec is NOT set?

Thanks in advance for answering my (stupid?) questions.

Alex

0 Helpful
3 Replies 3

macatalano
Level 1
Level 1

‎10-27-2001 08:13 AM

Alex,

ACL's on a PIX are a bit different if you're used to conduits. In answer to your questions:

a) Yes, it most certainly does. When you apply an ACL on a higher security interface start by blocking the outbound traffic you don't want, then permit everything else (or write a list of explicit permits which would not be easy).

b-1) Yes, they have full access except in two cases. First, if you're using vpngroups with split tunneling you'll find that they can only access resources in the internal networks you listed when you defined the split tunneling ACL. Second, if you're using authorization you can restrict access with using an ACL. This requires a AAA server. No statics or conduits are required.

b-2) It depends. For just generic client VPN, no. Keep in mind that as soon as you apply an ACL to a PIX interface the usual higher-to-lower-is-permited behavior changes. For example, if I write an ACL to permit a DMZ host access to a higher-security network, I have to make sure that my ACL then explicitly permits traffic to lower-security interfaces, or the internet (assuming I want this). The implicit deny of a Cisco ACL is very much in effect.

b-3) I don't know, I haven't tried it. My understanding is that you'd have to write an outside interface ACL that explicity permits IPSec traffic. If you want to restrict VPN users there are easier ways.

Your questions aren't stupid, it's not a clear-cut subject. Let me know if anything needs clarification. Have a nice weekend.

Mike

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to macatalano

‎10-27-2001 11:16 AM

Although Cisco says it is not recommended I have had great success in using Conduits for Firewall Rules and ACL's for VPN rules.

I feel that the limitation of only allowing inbound ACL's makes the config on a Multi-Interface PIX way too complex.

0 Helpful

hermesromero
Level 1
Level 1
In response to macatalano

‎11-27-2001 01:01 PM

Hi

Can you please help with links were I can find the split tunneling and authorization.

Regards

Hermes

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card