Re: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX
From: stephane nasdrovisky (stephane.nasdrovisky_at_paradigmo.com)
Date: 08/25/04
- Previous message: Smith, Aaron: "RE: [fw-wiz] VPN endpoints"
- In reply to: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 25 Aug 2004 16:49:13 +0200
John Galt wrote:
> Is decrypted traffic from a site-to-site VPN sent back through an
> access list that is applied to the outside interface of a PIX?
I'm sorry, I do not know anything about pix! It would be a bad idea from
cisco, as it would mean your vpn traffic and your (untrusted) internet
one would share a single ACL!
> permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet
> deny ip host 192.168.2.20 host 192.168.1.10
You forgot the most important key in your deny command: log (I assume
pix ACL are very similar to cisco IOS ones). Reading logs is sometimes
more interesting then trying to guess what's happening !
Note that log may also be added after permit lines (especially usefull
for debuging, and lighter than enabling cisco's debug output).
Adding such 'log' entries would log, i.e. telnet; tftp, snmp, vpn access
to/through your router.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Smith, Aaron: "RE: [fw-wiz] VPN endpoints"
- In reply to: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
