firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Cisco PIX - "Allow inbound IPsec sessions to bypass interface
access lists" (Michael Tewner)
2. Re: Cisco PIX - "Allow inbound IPsec sessions to bypass
interface access lists" (Farrukh Haroon)
3. Re: Cisco PIX - "Allow inbound IPsec sessions to bypass
interface access lists" (Paul Melson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 13 May 2009 14:31:59 +0300
From: Michael Tewner <tewner@gmail.com>
Subject: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to bypass
interface access lists"
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<34337f660905130431k5bc0386cje27f8d2b18a76c7b@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi all -
I'm using a Cisco ASA 5500 series appliance with ASDM 6.1.
As I understand it, by default, incoming packets from IPsec site-to-site
VPN's are not checked by the standard interface ACL's -
(1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from
a specific remote host to a local host/LAN?
(2) I found that following checkbox in the "IPsec VPN Wizard" which might be
a step in the right direction - "Enable inbound IPsec sessions to bypass
interface access lists."
(a) Is this the proper setting?
(b) I assume that this will send the incoming traffic through the
"outside" interface? right?
(c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
this apply to my other VPN's?
(d) What Cisco ASA/PIX command does this translate to
(e) Is there a screen in the ASDM where I can enable this
after-the-fact?
(3) Or, perhaps, I'm looking in completely the wrong place?
Thank you!!
-Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090513/a1fbb962/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 14 May 2009 10:57:36 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to
bypass interface access lists"
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0905140057k7766a76eqf56f05bf6f609576@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Mike
You can do this using the vpn-filter command, the following are GUI and CLI
links:
The second option you mention translted to the following CLI command
sysopt connection permit-vpn
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414
By default due to this command enable, all VPN Tunnels terminted ON the
appliance itself are permitted and the interface ACL does not need to permit
IKE,NAT-T (UDP 4500), ESP etc. If you disable it, then you need to
specfically allow VPN traffic on the ACL.
Regards
Farrukh
On Wed, May 13, 2009 at 2:31 PM, Michael Tewner <tewner@gmail.com> wrote:
> Hi all -
>
> I'm using a Cisco ASA 5500 series appliance with ASDM 6.1.
>
> As I understand it, by default, incoming packets from IPsec site-to-site
> VPN's are not checked by the standard interface ACL's -
>
> (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH
> from a specific remote host to a local host/LAN?
>
> (2) I found that following checkbox in the "IPsec VPN Wizard" which might
> be a step in the right direction - "Enable inbound IPsec sessions to bypass
> interface access lists."
> (a) Is this the proper setting?
> (b) I assume that this will send the incoming traffic through the
> "outside" interface? right?
> (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
> this apply to my other VPN's?
> (d) What Cisco ASA/PIX command does this translate to
> (e) Is there a screen in the ASDM where I can enable this
> after-the-fact?
>
> (3) Or, perhaps, I'm looking in completely the wrong place?
>
> Thank you!!
> -Mike
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090514/56036efd/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 14 May 2009 07:28:18 -0400
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to
bypass interface access lists"
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0905140428h4e97bbc5m4d8298134b7d510d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Wed, May 13, 2009 at 7:31 AM, Michael Tewner <tewner@gmail.com> wrote:
> As I understand it, by default, incoming packets from IPsec site-to-site
> VPN's are not checked by the standard interface ACL's -
>
> (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from
> a specific remote host to a local host/LAN?
I don't believe this is default behavior, and it's certainly easy
enough to configure. You can use the interface-bound access lists to
control VPN traffic.
> (2) I found that following checkbox in the "IPsec VPN Wizard" which might be
> a step in the right direction - "Enable inbound IPsec sessions to bypass
> interface access lists."
> ???? (a) Is this the proper setting?
Yes, this is just the ASDM/PDM checkbox for the 'sysopt connection
permit-ipsec' command. If you unset that option in your config, IPSec
traffic will be subject to the same access lists that unencrypted
traffic is.
> ???? (b) I assume that this will send the incoming traffic through the
> "outside" interface? right?
Yes, the access-group that is configured for "in interface outside"
will affect traffic being decrypted by your firewall. Similarly, the
access-group configured for "in interface inside" (if you do egress
filtering) will affect traffic being encrypted.
> ???? (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
> this apply to my other VPN's?
Yes, all of your IPSec tunnels, anyway. I don't know for certain, but
I think SSL VPN connections are unaffected by this setting.
> ???? (d) What Cisco ASA/PIX command does this translate to
sysopt connection permit-ipsec
> ???? (e) Is there a screen in the ASDM where I can enable this
> after-the-fact?
No idea. I've never been a fan of ASDM/PDM.
> (3) Or, perhaps, I'm looking in completely the wrong place?
I'd say you're right on track.
PaulM
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 37, Issue 12
************************************************
No comments:
Post a Comment