[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX

From: John Galt (jgalt163_at_comcast.net)
Date: 08/23/04

  • Next message: Harald Welte: "Re: [fw-wiz] NAPT - NAT Port selection" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 23 Aug 2004 09:13:58 -0400

    Hello All,

    Can someone please clear something up for me.

    Is decrypted traffic from a site-to-site VPN sent back through an access
    list that is applied to the outside interface of a PIX?

    For example:

    If a crypto map match entry uses an access list that includes:

    permit ip 192.168.10.1 255.255.255.255 192.168.20.2 255.255.255.255

    Assuming that the VPN successfully connects and there is full IP
    connectivity between local host 192.168.10.1 and remote host 192.168.20.2.

    If I then use the access-group command on the outside interface and apply
    an access list that includes:

    permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet
    deny ip host 192.168.2.20 host 192.168.1.10

    Would access be restricted to only telnet traffic from remote host
    192.168.2.20 to local host 192.168.1.10

    Thanks.

    John

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Harald Welte: "Re: [fw-wiz] NAPT - NAT Port selection"

    Relevant Pages

    • Re: Question about Forwarders
      ... > their DNS server. ... > Site-To-Site VPN doesn't allow us to connect to IPs in that subnet. ... > I know it would be possible to use local host entries and I ... Create a new forward lookup zone, name it www.othersite.com, in that zone ...
      (microsoft.public.win2000.dns)
    • RE: SSH without inputing password
      ... generating a rsa or dsa key pair o a local host, ... After that you can easily ssh from local to remote host without password ...
      (RedHat)
    • Re: Can image from Laptop A display on Laptop B?
      ... UltraVNC. ... need permission on each host to install the server on the target host ... permission on each remote host (so you can install the client there to ... to connect to the UltraVNC server back on the target host. ...
      (microsoft.public.windowsxp.general)
    • Re: Can image from Laptop A display on Laptop B?
      ... screen also display on the screens of the other laptops, ... However, you need permission on each host to install the server on the target host (so you can connect to it from a remote host to see its screen), or permission on each remote host. ... UltraVNC can use an SSL plug-in to secure your traffic between the remote and server hosts, especially important for work if you are going across the Internet and not using a VPN. ...
      (microsoft.public.windowsxp.general)
    • Re: TCPIP 5.4 ECO 6: any problems?
      ... SHOW HOST and get the IP address and then do the ping, ... use of resolving a local host name to an IP address, ... It would be nice to hear from VMS engineering that this is OK, ...
      (comp.os.vms)