Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
1
Replies

VPN Access restriction

vinoth.kumar
Level 1
Level 1

‎11-22-2009 11:21 PM

Hi,

we have a site to site Ipsec VPN between our offices

currently one of our PIX 515E 6.3 is getting problem that we are unable to login (PIX iS running)

after rebotting it works fine but after a day again it remains same

so we are suspecting some virus trafffic coming through the VPN

can anyone help us how to track the these type of packet in pIX and also we are planning to restrict the traffic coming through the VPN

In the encryption Domain ACL can we define the port based ACL access OR we will allow the traffic based on subnet in Encryption domain and

restrict them by Access-group binding OUTBOUND in INSIDE Interface

Which one will be right

Thanks
Vinu

Labels:
0 Helpful
1 Reply 1

grant.maynard
Level 4
Level 4

‎11-23-2009 03:48 PM

The best way to filter traffic over a VPN, in my opinion, is:

1) build the Encryption domain based on subnets for all IP.

2) add entries to the inbound ACL on the outside interface (assuming that's where the VPN terminates) to filter traffic as desired.

3) enter "no sysopt connection permit-ipsec" to force ALL vpn traffic through this ACL.

"sysopt connection permit-ipsec" is enabled by default and "Implicitly permits any packet that comes from an IPSec tunnel, and bypasses the checking of an associated access-list, conduit, or access-group command statement for IPSec connections". Remember that this affects all VPNs so you must have the necessary rules in the ACL beforehand.

It might be a good idea to set up syslog on your firewall so you can capture any messages from the time of it freezing up.

0 Helpful
Customers Also Viewed These Support Documents