VPN Access restriction

vinoth.kumar · ‎11-22-2009

Hi,

we have a site to site Ipsec VPN between our offices

currently one of our PIX 515E 6.3 is getting problem that we are unable to login (PIX iS running)

after rebotting it works fine but after a day again it remains same

so we are suspecting some virus trafffic coming through the VPN

can anyone help us how to track the these type of packet in pIX and also we are planning to restrict the traffic coming through the VPN

In the encryption Domain ACL can we define the port based ACL access OR we will allow the traffic based on subnet in Encryption domain and

restrict them by Access-group binding OUTBOUND in INSIDE Interface

Which one will be right

Thanks
Vinu

grant.maynard · ‎11-23-2009

The best way to filter traffic over a VPN, in my opinion, is:

1) build the Encryption domain based on subnets for all IP.

2) add entries to the inbound ACL on the outside interface (assuming that's where the VPN terminates) to filter traffic as desired.

3) enter "no sysopt connection permit-ipsec" to force ALL vpn traffic through this ACL.

"sysopt connection permit-ipsec" is enabled by default and "Implicitly permits any packet that comes from an IPSec tunnel, and bypasses the checking of an associated access-list, conduit, or access-group command statement for IPSec connections". Remember that this affects all VPNs so you must have the necessary rules in the ACL beforehand.

It might be a good idea to set up syslog on your firewall so you can capture any messages from the time of it freezing up.