Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access Lists, NAT and VPN, where do I filter??? 1

Status
Not open for further replies.
LedZepRock

LedZepRock

MIS
Feb 20, 2002
265
GB
Hi I have a PIX515e and have noticed that the access lists I though I had working for a VPN aint working as I expected. Here is a example of what I have

access-list nonatinside permit ip host 192.168.101.0 255.255.255.0 host 192.168.1.0 255.255.255.0

access-list inside_in permit ip host 192.168.101.0 255.255.255.0 host 192.168.1.0 255.255.255.0

access-list hostedVPN_10 permit ip host 192.168.101.0 255.255.255.0 host 192.168.1.0 255.255.255.0

So I can connect to hosted machines over the VPN (with NoNAT) and that works great, the problem though is that I have since found that items at our hosted site can also connect back to the LAN (bad). Where do I add access lists to prevent this???
Do I ammend the VPN access list, the NoNAT access list or the access list on a Interface (and if it is the interface which on the inside or outside)???

I hope my question makes some sense...

Simon
 
Sort by date Sort by votes
First of all the ACLs used to define interesting traffic are used for that purpose only. If you need to filter traffic then you need to define a new ACL (if one doesn't exist) and apply it to the corresponding interface.

Fot IPSec, the command "sysopt connection permit-ipsec" bypasses the ASA algorithm this means IPSec traffic will not be checked against the ACLs applied to any interface. If you need to apply ACLs to IPSec traffic, then you need to remove the "sysopt connection permit-ipsec" command and configure your ACLs, you have to realize you will need to permit access to UDP port 500 and IP protocol 50 on the ACL applied to the outside interface, and UDP 4500 if you are using NAT-T.

If you remove the command mentioned above, it will affect ALL IPSec tunnels. So you need to take this into account if you have more than one tunnel.
 
Upvote 0 Downvote
Ahhh OK, all makes more sense now, OK I will remove the "sysopt connection permit-ipsec" and allow the IPSEC ports through, 1 last thing though, what interface will I need to filter traffic from a external VPN??? Does the firewall decrypt the traffic before it checks the ACL's on the outside interface???

Thanks
Simon
 
Upvote 0 Downvote
When you remove the sysopt the PIX will decrypt the traffic and drop it to the outside interface, so this means the PIX will inspect the traffic at the outside interface, you will need to filter there.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
332
Rick998
Rick998
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
850
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top