Re: [fw-wiz] Pass-through VPN

From: Patrick M. Hausen (
Date: 10/25/04

  • Next message: Catalina Scott Contr AFCA/EVEO: "RE: [fw-wiz] Pass-through VPN"
    To: "Hughes, Chris" <>
    Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)


    > > Inbound traffic normally requires an access-list or conduit statement to
    > > allow it to pass.
    > >
    > > But by using the sysopt connection permit-ipsec command, the inbound
    > > ipsec traffic bypasses all access-lists and counduits.
    > >
    > > Since you can't block inbound traffic on the internal interface as you
    > > can with a cisco router, the traffic cannot be filtered at this point.
    > >
    > > To lock this traffic down, use ACLs without using the sysopt command.

    > What would those ACLs look like? Allow udp ports 500 and 4500?

    No, no no ... :-)

    The point of the "sysopt connection permit-ipsec" command is to
    pass all traffic that is _in_ the VPN tunnel unchecked by ACLs.
    The externally visible ESP packets are of course always accepted.
    Same for IKE and everything else that is necessary for a succesfull
    IPSec connection.

    If the sysopt command is active, after establishing a VPN tunnel
    by e.g. an external software client, this client can tunnel
    _arbitrary_ IP traffic to the internal LAN. Browse the network
    neighborhood in a windows environment etc. pp.

    There may be scenarios when you don't want that. I have one client
    that wants to give external users access to a cluster of Citrix
    terminal servers, but nothing else. So this customer has the
    "sysopt ... permit-ipsec" disabled.
    Now the IPSec tunnel is still established without any additional
    rules, the PIX does IKE just the same way, ... only _after_ the
    tunnel is established the client can't pass traffic through
    it. Unless you create additional access rules that state e.g.

    Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA

    Disabling the sysopt command gives you a finer control of what is
    allowed _through_ IPSec connections, not control of the connections

    Hope that helps,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Catalina Scott Contr AFCA/EVEO: "RE: [fw-wiz] Pass-through VPN"