Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-list blocks VPN traffic

Status
Not open for further replies.
rlyj

rlyj

IS-IT--Management
Jun 6, 2003
4
CA
Hi,

A site to site VPN is established between 2 networks and had no problem until we replaced CPFW with the PIX and added some access-lists to block outbound access. From the logs, the traffic between 2 networks are blocked by these access-lists. Shouldn't sysopt and nat 0 commands force PIX to bypass access check for VPN traffic? Now we have to add access-lists to allow the traffic from the local network to remote network. Any idea? TIA.

Randy
 
Sort by date Sort by votes
If you have sysopt connection permit-ipsec in the config then vpn traffic bypasses the ACLs on the pix. But that's the VPN traffic coming INTO out of a vpn :)

The reason being the command actually means allow traffic that has been decrypted to bypass ACLs. But outbound traffic from your internal network hasn't been decrypted. It hasn't yet BEEN encrypted, the pix is about to do that. So the sysopt command isn't relevant. You do have to specify ACLs to allow traffic to the remote end of the vpn if you've got ACLS blocking outgoing traffic, this is normal behaviour.

NAT 0 has nothing to do with bypassing ACLs by the way, it just means don't nat traffic between the specified subnets.

The reason sysopt connection permit-ipsec usually "just works" is that most people don't put rules on to block outbound traffic (although they should do), and by default the pix allows all outbound traffic, so they don't usually come across the issue.

chico

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Cisco's definition of sysopt connection permit-ipsec probably explains it better than i just have;

"sysopt connection permit-ipsec: Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections."

Your outbound traffic didn't "come from an IPSec tunnel"

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Thanks for the reply and info chico.

Randy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
787
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
642
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
229
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
179
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top