cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
3
Replies

ISAKMP Question ???????????????????

m.lesnick
Level 1
Level 1

I have a site-to-site IPSEC tunnel.. Works fine..

I'm using preshared secret.. the problem is that if I run an NMAP scan against my outside IP of the PIX firewall it shows that ISAKMP both TCP/UDP is open..

I tried ACL's on the outside interface but still it's open..

How do I close of ISAKMP and allow only the remote side of the IPSEC tunnel access?

I can't find any documentation online to help me out...

Suggestions greatly appreciated.. thanks..

3 Replies 3

m.laporta
Level 1
Level 1

Pix ACL's filter traffic *through* the firewall; they don't filter traffic *to* the firewall.

Some CLI tools are able to filter traffic *to* the firewall for specific applications (see the telnet/ssh/http commands): unfortunately, there is no way to filter ISAKMP.

As a result, if the "isak enable " command is applied, ISAKMP connections are always accepted until the IKE authentication phase has been completed. Unfortunately, this exposes the Pix to a DOS attack as the CPU-consuming DH exchange is performed before auhentication.

HTH

michele

what are possible work arounds? I have a site-to-site IPSEC tunnel and our audit group won't let this pass..

Is there another way to setup and IPSEC tunnel with out using ISAKMP ???

The only possible workaround I can think of is to place another (possibly cheap) firewall in front of your Pix to filter ISAKMP. Sorry for such a trivial proposal...

Of course you can use IPSec without IKE: this is currently a mandatory requirement for every IPSec implementation. However, administration of IPSEc manual config is very heavy as you will need to define the keying material and the spi's by yourself. Moreover, security will be weaker as the keys will not be refreshed automatically... unless you change them periodically.

Check these configs out:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm#wp1069160

HTH

michele