Re: [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- From: Prabhu Gurumurthy <pgurumu@xxxxxxxxx>
- Date: Wed, 27 Sep 2006 10:12:48 -0700
Vahid Pazirandeh wrote:
Quick version:
1. I don't want VPN access open to the entire world. Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?
I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to
VPN in general, but remote access VPN is working.
I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so
exposed to port scanning.
I did find the "set peer" option:
crypto dynamic-map dyn1 1 set peer 1.2.3.4
which would only allow VPN clients having IP 1.2.3.4 to login, but the problem
is they still receive a login prompt. Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).
kind regards,
Vahid
=============================================
"Make it better before you make it faster."
=============================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Okay -
How will you try to restrict access based on ACL's for remote access
VPN. Think about all the DHCP users (Like broadband connection or
dialup) who will be logging in and their IP address is not guaranteed to
be static(same) all the time.
That why you have Remote access VPN instead of LAN2LAN tunnel!. Well I
am not saying you cannot do that, but it kinda defeats the purpose for me.
Infact do not trust anything either hostnames or IP's. Use secure keys
and you will be safe, that is relatively.
BTW the first process of any VPN is IKE, which actually listens on port
500. Now, 10000 is the standard PIX port for receiving and sending IPSec
traffic, why would you want to put ACL's on the port which is meant for
receiving and sending IPSec packets. If your ACLs are bad!, then it will
result in bad connectivity for the users whom you think need to use it.
Paranoia is fine with security, but dont be over paranoid. PIX is
relatively more secure and it is smart enough to allow only the traffic
that it trusts to go thru it (which BTW depends on your config).
Hope this helps.
Prabhu
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- From: Vahid Pazirandeh
- [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- Prev by Date: [fw-wiz] Ruxcon 2006
- Previous by thread: Re: [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- Next by thread: [fw-wiz] White paper release: Bypassing network access control (NAC) systems
- Index(es):
Relevant Pages
|
|
