cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
501
Views
0
Helpful
4
Replies

VPN Tunnel with only one service allowed

mkoenig
Level 1
Level 1

Hello,

got a pix 520 with V 6.22. Now I created a VPN Tunnel from our server to a

server from annother company and I only want to have ssh connection. So this works

pretty well - but from the other host it is possible to connect on our host by

icmp, ftp, telnet, .... How can I manage to configure my pix to deny all this

services ?

Here is my configuration:

name 10.x.x.x ffmz1_is

name 212.x.x.x conliner_os

name 192.168.0.250 conliner_ssh

object-group network conliner

network-object 192.168.0.0 255.255.255.0

access-list inside permit icmp host ffmz1_is any

access-list inside permit tcp host ffmz1_is any eq ftp

access-list inside permit udp host ffmz1_is any eq smtp

access-list inside permit tcp host ffmz1_is host conliner_ssh eq ssh

access-list no_nat permit ip host ffmz1_is object-group conliner

access-list conliner permit ip host ffmz1_is object-group conliner

...

crypto map VPN 30 match address conliner

crypto map VPN 30 set peer conliner_os

...

Thanks a lot

1 Accepted Solution

Accepted Solutions

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

View solution in original post

4 Replies 4

mcaissie
Level 1
Level 1

Do you use the command

"sysopt connection permit-ipsec "

This command allows all traffic going through the tunnel to bypass the access-lists applied on your interface . You can remove this command and be more granular on your filtering through access-group and allow only ssh replies.

For example you could add the following line on your outside interface acl

access-list outside permit tcp any eq ssh host conliner_ssh

Yes, I use this - so I will disable it und look.

Thank you very much for your hint - but I think there must be a reason

to use this command - even when ist breaks a big hole in a firewall.

And do I have to allow outside connections with port 500 and with the

protocoll esp ?

Very kind regards

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

Hello,

...and thank you again for your reply - your answers are very helpful to me.

So I got a little problem. We have 5 VPN connections established - 4 with static IP's but one with a dynamic for which I need this "sysopt connection permit-ipsec" command. To have only as much holes on the PIX needed I plan to put this dynamic connection (and further ones) away and onto a router before the PIX with an dedicated access-list to have connection to this router.

Kind regards