cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
966
Views
0
Helpful
3
Replies

a question about vpn's and firewall rules

swarmbrand
Level 1
Level 1

I have a Pix 515, and a question about firewall rules/access lists.

I have recently created a new VPN group, and IP Pool.

I created a firewall rule that grants access via TCP to a specific IP address from this firewall.  However, when I test the VPN from outside the company, I find I can get to whatever server I want to.  There is no allow any/any.  I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.

The only thing I could think of is that we are using the account management in the firewall to authenticate the users.  I am giving the VPN users level 3 access.

Any ideas about what could be going on would be helpful.

I will probably not post my config as it is my firewall config, and it would be against company policy.

Thanks!

Scott

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

What version of PIX firewall are you running?

If you are running version 7.0 or higher, you can configure firewall rules and assigned that rules to the vpn-filter command that you assign to your VPN group-policy.

The access-list will say:

access-list permit tcp host eq

If you would like to permit TCP/80 to inside host 10.1.1.1 for example, you will write:

access-list permit tcp host 10.1.1.1 eq 80

The ACL then needs to be applied to "vpn-filter" command on the VPN group-policy for that particular VPN.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/tz.html#wp1281154

If you are running earlier version of PIX, let us know as "vpn-filter" is not supported and you would configure it in a different more complicated way.

Hope this helps.

I'm running version 6.3 thanks!

From: halijenn

To: Scott Warmbrand

Date: 03/26/2011 10:18 PM

Subject: New message: "a question about vpn's and

firewall rules"

swarmbrand@pmschools.org,

A new message was posted in the Discussion thread "a question about vpn's

and firewall rules":

https://supportforums.cisco.com/message/3324280#3324280

Author : Jennifer Halim

Profile : https://supportforums.cisco.com/people/halijenn

Message:

OK, so if you are running version 6.3, then it is not as simple as vpn-filter advised earlier as this version does not support that yet.

To start with, you will need to use the ACL that is applied to the outside interface to restrict and allow access from vpn pool towards the internal network.

You will need to explicitly configure all the access that you would like to give the remote access vpn, or any other vpn that you have (inc. LAN-to-LAN VPN). Once you have configured all the necessary rule and applied that to the outside interface, then you will need to disable "sysopt connection permit-ipsec".

By default "sysopt connection permit-ipsec" is enabled, and that will allow all traffic decrypted from VPN tunnel to bypass the outside ACL. Because traffic from VPN tunnel is seen as secure, not from the Internet, it is allowed by default after it is being decrypted from the tunnel.

Review Cisco Networking for a $25 gift card