Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
3
Replies

ISAKMP Question ???????????????????

m.lesnick
Level 1
Level 1

‎12-14-2004 08:20 AM - edited ‎03-09-2019 09:45 AM

I have a site-to-site IPSEC tunnel.. Works fine..

I'm using preshared secret.. the problem is that if I run an NMAP scan against my outside IP of the PIX firewall it shows that ISAKMP both TCP/UDP is open..

I tried ACL's on the outside interface but still it's open..

How do I close of ISAKMP and allow only the remote side of the IPSEC tunnel access?

I can't find any documentation online to help me out...

Suggestions greatly appreciated.. thanks..

Labels:
0 Helpful
3 Replies 3

m.laporta
Level 1
Level 1

‎12-14-2004 08:55 AM

Pix ACL's filter traffic *through* the firewall; they don't filter traffic *to* the firewall.

Some CLI tools are able to filter traffic *to* the firewall for specific applications (see the telnet/ssh/http commands): unfortunately, there is no way to filter ISAKMP.

As a result, if the "isak enable " command is applied, ISAKMP connections are always accepted until the IKE authentication phase has been completed. Unfortunately, this exposes the Pix to a DOS attack as the CPU-consuming DH exchange is performed before auhentication.

HTH

michele

0 Helpful

m.lesnick
Level 1
Level 1
In response to m.laporta

‎12-14-2004 02:04 PM

what are possible work arounds? I have a site-to-site IPSEC tunnel and our audit group won't let this pass..

Is there another way to setup and IPSEC tunnel with out using ISAKMP ???

0 Helpful

m.laporta
Level 1
Level 1
In response to m.lesnick

‎12-15-2004 12:26 AM

The only possible workaround I can think of is to place another (possibly cheap) firewall in front of your Pix to filter ISAKMP. Sorry for such a trivial proposal...

Of course you can use IPSec without IKE: this is currently a mandatory requirement for every IPSec implementation. However, administration of IPSEc manual config is very heavy as you will need to define the keying material and the spi's by yourself. Moreover, security will be weaker as the keys will not be refreshed automatically... unless you change them periodically.

Check these configs out:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm#wp1069160

HTH

michele

0 Helpful
Customers Also Viewed These Support Documents