Re: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"



Hello Mike

You can do this using the vpn-filter command, the following are GUI and CLI
links:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

The second option you mention translted to the following CLI command

sysopt connection permit-vpn

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414

By default due to this command enable, all VPN Tunnels terminted ON the
appliance itself are permitted and the interface ACL does not need to permit
IKE,NAT-T (UDP 4500), ESP etc. If you disable it, then you need to
specfically allow VPN traffic on the ACL.

Regards

Farrukh

On Wed, May 13, 2009 at 2:31 PM, Michael Tewner <tewner@xxxxxxxxx> wrote:

Hi all -

I'm using a Cisco ASA 5500 series appliance with ASDM 6.1.

As I understand it, by default, incoming packets from IPsec site-to-site
VPN's are not checked by the standard interface ACL's -

(1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH
from a specific remote host to a local host/LAN?

(2) I found that following checkbox in the "IPsec VPN Wizard" which might
be a step in the right direction - "Enable inbound IPsec sessions to bypass
interface access lists."
(a) Is this the proper setting?
(b) I assume that this will send the incoming traffic through the
"outside" interface? right?
(c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
this apply to my other VPN's?
(d) What Cisco ASA/PIX command does this translate to
(e) Is there a screen in the ASDM where I can enable this
after-the-fact?

(3) Or, perhaps, I'm looking in completely the wrong place?

Thank you!!
-Mike


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Easiest/quickest method for very simple interfaces?
    ... > Michael speaks truth here wrt vim. ... >> thought on handling the interface. ... fool-proof switches instead of a single command line interface. ... I meant offering choices ...
    (comp.os.linux.misc)
  • Re: The Linux Revolution: What Happened?
    ... >> with a good graphic interface. ... even the text command is an ... And these simple commands can be made even more accessible through a GUI, ... > image from camera", but I didn't see the point at all, it was much ...
    (comp.os.linux.misc)
  • Re: The Linux Revolution: What Happened?
    ... >> with a good graphic interface. ... even the text command is an ... And these simple commands can be made even more accessible through a GUI, ... > image from camera", but I didn't see the point at all, it was much ...
    (alt.os.linux)
  • Re: The Linux Revolution: What Happened?
    ... > with a good graphic interface. ... even the text command is an ... from camera; start image viewer" or "copy images from camera to disk; ... photoshop, asks fotoshop to resize the photo, and sends it. ...
    (comp.os.linux.misc)
  • Re: The Linux Revolution: What Happened?
    ... > with a good graphic interface. ... even the text command is an ... from camera; start image viewer" or "copy images from camera to disk; ... photoshop, asks fotoshop to resize the photo, and sends it. ...
    (alt.os.linux)