Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Tunnel with only one service allowed

Hello,

got a pix 520 with V 6.22. Now I created a VPN Tunnel from our server to a

server from annother company and I only want to have ssh connection. So this works

pretty well - but from the other host it is possible to connect on our host by

icmp, ftp, telnet, .... How can I manage to configure my pix to deny all this

services ?

Here is my configuration:

name 10.x.x.x ffmz1_is

name 212.x.x.x conliner_os

name 192.168.0.250 conliner_ssh

object-group network conliner

network-object 192.168.0.0 255.255.255.0

access-list inside permit icmp host ffmz1_is any

access-list inside permit tcp host ffmz1_is any eq ftp

access-list inside permit udp host ffmz1_is any eq smtp

access-list inside permit tcp host ffmz1_is host conliner_ssh eq ssh

access-list no_nat permit ip host ffmz1_is object-group conliner

access-list conliner permit ip host ffmz1_is object-group conliner

...

crypto map VPN 30 match address conliner

crypto map VPN 30 set peer conliner_os

...

Thanks a lot

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: VPN Tunnel with only one service allowed

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

4 REPLIES
New Member

Re: VPN Tunnel with only one service allowed

Do you use the command

"sysopt connection permit-ipsec "

This command allows all traffic going through the tunnel to bypass the access-lists applied on your interface . You can remove this command and be more granular on your filtering through access-group and allow only ssh replies.

For example you could add the following line on your outside interface acl

access-list outside permit tcp any eq ssh host conliner_ssh

New Member

Re: VPN Tunnel with only one service allowed

Yes, I use this - so I will disable it und look.

Thank you very much for your hint - but I think there must be a reason

to use this command - even when ist breaks a big hole in a firewall.

And do I have to allow outside connections with port 500 and with the

protocoll esp ?

Very kind regards

New Member

Re: VPN Tunnel with only one service allowed

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

New Member

Re: VPN Tunnel with only one service allowed

Hello,

...and thank you again for your reply - your answers are very helpful to me.

So I got a little problem. We have 5 VPN connections established - 4 with static IP's but one with a dynamic for which I need this "sysopt connection permit-ipsec" command. To have only as much holes on the PIX needed I plan to put this dynamic connection (and further ones) away and onto a router before the PIX with an dedicated access-list to have connection to this router.

Kind regards

83
Views
0
Helpful
4
Replies