Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
4
Replies

VPN Tunnel with only one service allowed

Go to solution
mkoenig
Level 1
Level 1

‎06-26-2003 04:58 AM - edited ‎02-21-2020 12:38 PM

Hello,

got a pix 520 with V 6.22. Now I created a VPN Tunnel from our server to a

server from annother company and I only want to have ssh connection. So this works

pretty well - but from the other host it is possible to connect on our host by

icmp, ftp, telnet, .... How can I manage to configure my pix to deny all this

services ?

Here is my configuration:

name 10.x.x.x ffmz1_is

name 212.x.x.x conliner_os

name 192.168.0.250 conliner_ssh

object-group network conliner

network-object 192.168.0.0 255.255.255.0

access-list inside permit icmp host ffmz1_is any

access-list inside permit tcp host ffmz1_is any eq ftp

access-list inside permit udp host ffmz1_is any eq smtp

access-list inside permit tcp host ffmz1_is host conliner_ssh eq ssh

access-list no_nat permit ip host ffmz1_is object-group conliner

access-list conliner permit ip host ffmz1_is object-group conliner

...

crypto map VPN 30 match address conliner

crypto map VPN 30 set peer conliner_os

...

Thanks a lot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcaissie
Level 1
Level 1
In response to mkoenig

‎06-27-2003 06:27 AM

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mcaissie
Level 1
Level 1

‎06-26-2003 07:12 AM

Do you use the command

"sysopt connection permit-ipsec "

This command allows all traffic going through the tunnel to bypass the access-lists applied on your interface . You can remove this command and be more granular on your filtering through access-group and allow only ssh replies.

For example you could add the following line on your outside interface acl

access-list outside permit tcp any eq ssh host conliner_ssh

0 Helpful

Go to solution
mkoenig
Level 1
Level 1
In response to mcaissie

‎06-26-2003 11:26 PM

Yes, I use this - so I will disable it und look.

Thank you very much for your hint - but I think there must be a reason

to use this command - even when ist breaks a big hole in a firewall.

And do I have to allow outside connections with port 500 and with the

protocoll esp ?

Very kind regards

0 Helpful

Go to solution
mcaissie
Level 1
Level 1
In response to mkoenig

‎06-27-2003 06:27 AM

The only purpose of "sysopt connection permit-ipsec" is to allow traffic in a tunnel to bypass access-groups. It is not essential to use It , but then you must explicitly allow the traffic you want through your access-list .

The command is very usefull when you have remote client establishing a vpn using the cisco client . Since you have to use dynamic crypto-maps and you don't know the peer IP address , if you didn't have the sysopt command , you would have to allow traffic from any source .

And you don't have to open any ipsec ports for the PIX to be able to establish the tunnel with it's peer .

You need to allow udp 500 and protocol 50 - 51 when ipsec traffic traverse your firewall. Let say you have another PIX on the inside who wants to establish a vpn accross your main PIX with a third PIX on the outside, then you would need to open the ports in your main PIX .

0 Helpful

Go to solution
mkoenig
Level 1
Level 1
In response to mcaissie

‎06-30-2003 02:32 AM

Hello,

...and thank you again for your reply - your answers are very helpful to me.

So I got a little problem. We have 5 VPN connections established - 4 with static IP's but one with a dynamic for which I need this "sysopt connection permit-ipsec" command. To have only as much holes on the PIX needed I plan to put this dynamic connection (and further ones) away and onto a router before the PIX with an dedicated access-list to have connection to this router.

Kind regards

0 Helpful
Customers Also Viewed These Support Documents