Re: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"

On Wed, May 13, 2009 at 7:31 AM, Michael Tewner <tewner@xxxxxxxxx> wrote:
As I understand it, by default, incoming packets from IPsec site-to-site
VPN's are not checked by the standard interface ACL's -

(1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from
a specific remote host to a local host/LAN?

I don't believe this is default behavior, and it's certainly easy
enough to configure. You can use the interface-bound access lists to
control VPN traffic.

(2) I found that following checkbox in the "IPsec VPN Wizard" which might be
a step in the right direction - "Enable inbound IPsec sessions to bypass
interface access lists."
     (a) Is this the proper setting?

Yes, this is just the ASDM/PDM checkbox for the 'sysopt connection
permit-ipsec' command. If you unset that option in your config, IPSec
traffic will be subject to the same access lists that unencrypted
traffic is.

     (b) I assume that this will send the incoming traffic through the
"outside" interface? right?

Yes, the access-group that is configured for "in interface outside"
will affect traffic being decrypted by your firewall. Similarly, the
access-group configured for "in interface inside" (if you do egress
filtering) will affect traffic being encrypted.

     (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
this apply to my other VPN's?

Yes, all of your IPSec tunnels, anyway. I don't know for certain, but
I think SSL VPN connections are unaffected by this setting.

     (d) What Cisco ASA/PIX command does this translate to

sysopt connection permit-ipsec

     (e) Is there a screen in the ASDM where I can enable this

No idea. I've never been a fan of ASDM/PDM.

(3) Or, perhaps, I'm looking in completely the wrong place?

I'd say you're right on track.

firewall-wizards mailing list