Re: [fw-wiz] Pass-through VPN
From: Patrick M. Hausen (hausen_at_punkt.de)
To: "Hughes, Chris" <Chris.Hughes@thalescomminc.com> Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)
> > Inbound traffic normally requires an access-list or conduit statement to
> > allow it to pass.
> > But by using the sysopt connection permit-ipsec command, the inbound
> > ipsec traffic bypasses all access-lists and counduits.
> > Since you can't block inbound traffic on the internal interface as you
> > can with a cisco router, the traffic cannot be filtered at this point.
> > To lock this traffic down, use ACLs without using the sysopt command.
> What would those ACLs look like? Allow udp ports 500 and 4500?
No, no no ... :-)
The point of the "sysopt connection permit-ipsec" command is to
pass all traffic that is _in_ the VPN tunnel unchecked by ACLs.
The externally visible ESP packets are of course always accepted.
Same for IKE and everything else that is necessary for a succesfull
If the sysopt command is active, after establishing a VPN tunnel
by e.g. an external software client, this client can tunnel
_arbitrary_ IP traffic to the internal LAN. Browse the network
neighborhood in a windows environment etc. pp.
There may be scenarios when you don't want that. I have one client
that wants to give external users access to a cluster of Citrix
terminal servers, but nothing else. So this customer has the
"sysopt ... permit-ipsec" disabled.
Now the IPSec tunnel is still established without any additional
rules, the PIX does IKE just the same way, ... only _after_ the
tunnel is established the client can't pass traffic through
it. Unless you create additional access rules that state e.g.
Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA
Disabling the sysopt command gives you a finer control of what is
allowed _through_ IPSec connections, not control of the connections
Hope that helps,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards