02-17-2006 03:14 PM - edited 02-21-2020 02:15 PM
Hi,
My PIX is currently set up to allow all IPSEC traffic to enter my network (sysopt connection permit-ipsec). I would like to change this so that I can define what traffic is allowed in (and out).
My setup is simple (imo). I only have the default outside & inside interfaces. I am assuming that I can control the "outgoing VPN traffic" in an inbound ACL on the inside interface.
But how do I control what traffic is allowed inbound over the VPN tunnel? I have no interface to apply this to since it's a VPN tunnel.
And I cannot apply it to the outside interface, I think, since traffic that arrives on that interface is ESP traffic, so encrypted and I obviously want to be able to define what is allowed in based on what the decrypted packet looks like.
Any thoughts anyone?
Thanks and regards,
Kevin
Solved! Go to Solution.
02-21-2006 12:55 PM
IPSEC traffic is decrypted before going through the outside acl.When going through the acl, Source and Destination addresses correspond to the real IPs. So to accomplish what you want is easy , just remove the sysopt connection permit-ipsec, and modify your outside acl , using the real IPs as Source and Destination.
For example, you have a lan2lan vpn with your inside network at 10.10.10.0 /24 and a remote inside network at 172.20.0.0 /16 , and you want to give this network access to a web server at 10.10.10.33 just add a line
access-list acl_out permit tcp 172.20.0.0 255.255.0.0 host 10.10.10.33 eq 80
access-group acl_out in interface outside
acl_out will end up with a mix of public and private Source address and it's ok , the PIX don't care.
02-18-2006 09:09 PM
In this example you will find 3 Access-lists:
1.) Access-list acs-outside controls who can connect from the Internet and establish/open a IPSEC
2.)Access-list NONAT disables NAT from the Local networks to the VPN Peer network.
3.)Access-list VPN and < crypto map REMOTE 10 match address VPN > controls what traffic will be encrypted. If you just want to allow a specific host and protocol to be encrypted/allowed through the tunnel than this is the place to control it.
Example:
PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp
PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP
PIX(config)# access-group acs-outside in interface outside
STEP 1 - Configure IKE
PIX(config)# isakmp enable outside
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 encryption 3des
PIX(config)# isakmp policy 10 hash md5
PIX(config)# isakmp policy 10 group 2
PIX(config)# isakmp policy 10 lifetime 86400
PIX(config)# Isakmp identity address
PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# global (outside) 1 interface
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac
PIX(config)# crypto map REMOTE 10 ipsec-isakmp
PIX(config)# crypto map REMOTE 10 match address VPN
PIX(config)# crypto map REMOTE 10 set peer PEER-IP
PIX(config)# crypto map REMOTE 10 set transform-set TRANS
PIX(config)# crypto map REMOTE interface outside
Hope that helps ?
sincerely
Patrick
02-20-2006 03:22 AM
Hi,
Thank you for your reply, Patrick. It was helpful.
You have illustrated (amongst other things) how to establish an ACL on traffic originating in my internal network and bound for the external network (ACL "TRANS").
I am wondering however how I can control/limit the traffic coming fróm the external network. Let's say I want to configure it in such a way that only 3 hosts in the external network are allowed to reach 2 specific hosts in my network. The other way arround I want to allow my entire internal network to contact the entire external network (which is pretty much how ACL "TRANS" has configure it).
With kind regards,
Kevin
02-21-2006 03:07 AM
Hi,
It is still unclear to me how to apply an ACL to traffic incoming over the VPN tunnel.
Can anyone shed some light on this please?
regards,
Kevin
02-21-2006 03:32 AM
Hi Kevin,
If you are using fix firewall software ver. below 7.x then you will have to remove the command "sysopt connection permit-ipsec" from the configuration which tells the pix to allow all the ipsec traffic bydefault.
After you remove this command then you configure the access list or add the access list to the existing access list applied on the outside interface to allow the specifc IPSEC traffic which you want to allow.
Regards,
Tanveer
02-21-2006 03:42 AM
Hello Tanveer,
Will the ACL I would apply to the outside interface be able to interpret the encrypted traffic? Meaning, will it apply the ACL -after- the traffic was decrypted?
Also, is there a way to apply the ACL to traffic coming from 1 specific peer? I have multiple tunnels running on the PIX and I am wondering how to define an incoming ACL on each.
regards,
Kevin
02-21-2006 07:02 AM
Kevin,
Use the VPN access-list to control which host can use/pass trough the VPN tunnel ! The outside ACL just permits which Internet host can open/establish a VPN Tunnel but it does not control what is in the Tunnel.
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto map REMOTE 10 match address VPN
sincerely
Patrick
02-21-2006 08:20 AM
Dear Patrick,
My apologies if I apear thick, but it is still not clear to me.
I understand that the outside ACL applies to which host(s) can establish the tunnel.
I also understand that the VPN access-lists applies to which of the traffic originating in my Internalnet ISubnet towards the Externalnet ESubnet will be sent over the VPN tunnel REMOTE
However, how do I limit the traffic which is allowed to enter my Internalnet from the Externalnet?
Will, for example,
access-list VPN permit ip host Externalhost host Internalhost
limit the traffic which is allowed to originate from the Externalnet to only traffic coming from Externalhost and in addition only traffic going towards Internalhost?
with kind regards,
Kevin
02-21-2006 07:28 AM
access-list NETWORK permit ip 192.168.41.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list NETWORK permit ip 192.168.41.0 255.255.255.0 192.168.0.0 255.255.0.0
crypto map covance 10 match address NETWORK
192.168.41.0 is the local network.
192.168.0.0 & 172.20.0.0 are the remote networks.
crypto map statement applies access list to VPN.
02-21-2006 08:22 AM
Hi,
Can you provide me an example which will apply to traffic originating in for example 172.20.0.0/16 ?
regards,
Kevin
02-21-2006 12:55 PM
IPSEC traffic is decrypted before going through the outside acl.When going through the acl, Source and Destination addresses correspond to the real IPs. So to accomplish what you want is easy , just remove the sysopt connection permit-ipsec, and modify your outside acl , using the real IPs as Source and Destination.
For example, you have a lan2lan vpn with your inside network at 10.10.10.0 /24 and a remote inside network at 172.20.0.0 /16 , and you want to give this network access to a web server at 10.10.10.33 just add a line
access-list acl_out permit tcp 172.20.0.0 255.255.0.0 host 10.10.10.33 eq 80
access-group acl_out in interface outside
acl_out will end up with a mix of public and private Source address and it's ok , the PIX don't care.
02-22-2006 02:01 AM
Many thanks. That is exactly what I wanted to know.
And thanks to all who helped out!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide