I have very basic question related to PIXs and VPNs. I know that basic configuration VPN site-to-site started
with enabling esp or ah and isakmp from remote peer. You can do this with sysopt connection permit-ipsec or permit it with ACL. But from version PIX OS 6.x over there is no need to configure explicitly this with above mentioned config and VPN will finction.
So my question is ... should I use it
(explicit ACL or sysopt) in PIX? I mean both versions 6.x and 7.x of PIX.
the way pix handles vpn is a bit different to router. with router, inbound acl needs to include the udp500, udp4500, and esp before a tunnel can be established. however, there is no such restriction with pix. yes, in other words, it's not feasible to restrict which host can initiate vpn to pix (i guess it's a vulnerability).
the command "sysopt connection permit-ipsec" is then purely for traffic after decryption.
with pix v6.x, assuming you prefer to restrict what remote vpn user can do. the only way is to disable the command "sysopt connection permit-ipsec" and then configure inbound acl.
no sysopt connection permit-ipsec
access-list inbound permit tcp host eq 3389
access-group inbound in interface outside
with these commands, remote vpn users can only rdp to the terminal server and nothing else.
with pix/asa v7, vpn filter can be applied to individual user. thus i personally will leave the command "sysopt connection permit-ipsec" on, and restrict user by vpn filter. it's great, you should check this out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :