Re: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"

On Wed, May 13, 2009 at 7:31 AM, Michael Tewner <tewner@xxxxxxxxx> wrote:
As I understand it, by default, incoming packets from IPsec site-to-site
VPN's are not checked by the standard interface ACL's -

(1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from
a specific remote host to a local host/LAN?

I don't believe this is default behavior, and it's certainly easy
enough to configure. You can use the interface-bound access lists to
control VPN traffic.

(2) I found that following checkbox in the "IPsec VPN Wizard" which might be
a step in the right direction - "Enable inbound IPsec sessions to bypass
interface access lists."
     (a) Is this the proper setting?

Yes, this is just the ASDM/PDM checkbox for the 'sysopt connection
permit-ipsec' command. If you unset that option in your config, IPSec
traffic will be subject to the same access lists that unencrypted
traffic is.

     (b) I assume that this will send the incoming traffic through the
"outside" interface? right?

Yes, the access-group that is configured for "in interface outside"
will affect traffic being decrypted by your firewall. Similarly, the
access-group configured for "in interface inside" (if you do egress
filtering) will affect traffic being encrypted.

     (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
this apply to my other VPN's?

Yes, all of your IPSec tunnels, anyway. I don't know for certain, but
I think SSL VPN connections are unaffected by this setting.

     (d) What Cisco ASA/PIX command does this translate to

sysopt connection permit-ipsec

     (e) Is there a screen in the ASDM where I can enable this

No idea. I've never been a fan of ASDM/PDM.

(3) Or, perhaps, I'm looking in completely the wrong place?

I'd say you're right on track.

firewall-wizards mailing list

Relevant Pages

  • Re: Cisco ASA 55xx IPSEC traffic capture question
    ... interface that the ipsec tunnel is bound to. ... i tried to capture on the outbound interface but there is no traffic captured at all. ... that at least the access lists can match. ...
  • Re: Cisco ASA - interface names
    ... configurations where they refer to the ... I do not see binding between physical interface and ... By default traffic from a higher security level interface can ... other way access lists are required. ...
  • Re: Circular Referencing in C#
    ... I used this problem as an interview question about a month ... I configure it using config files. ... put the interface into the base code libraries. ... > public class A1C1 ...
  • PPPoE/DSL -- no connectivity
    ... If anyone can give me some config pointers, ... fine and all interfaces are UP, ... Virtual-Access1 unbinds from Interface Dialer1 giving me this debug ... service timestamps debug datetime msec ...
  • Re: Cisco T1 Internet Config
    ... If the line is functioning properly with this config, ... I personally would not have used a sub interface in this case as you only ... ip unnumbered command would have moved to the serial interface. ... encapsulation frame-relay IETF -- Do I need this line? ...