multiple access lists per VPN 1

[EddieVenus]

Is there a way that I can put another access list on my VPN useage? What I am looking for is to have my crypto map acl fairly straight forward, just a one liner, permit ip local.network remote.network. Primarily because I have to keep some tunnels going to non cisco devices that do not like multiline ACLs.

But then I want to control access to all my devices protected by the PIX with another global ACL. The PIX does not do ACL's in both directions on an interface as far as I can tell, like a router does. Since that would solve my problem I think. So I am looking for way to enact multiple access lists. One that goes with the crypto map, then another that is global to all VPNs, or all incoming traffic for that matter.

Obviously putting an access-list on the outside interface would not (and does not) do this as the VPN sidesteps this ACL. What I need is an access-list on the inside interface, facing the PIX. Something that would stop all traffic trying to go out the inside interface to the LAN. I cannot find where to put that. If you know, please share that info with me, as it is driving me nuts.

I appreciate your thoughts on this.

Eddie Venus

p.s. It is a simple thing I am trying to do, just limit access to only known IPs. There is a 501 10 user device that gets hit with licensing problems whenever someone trys to ping the whole subnet. I can stop the replies with an ACL on the inside interface, but it does not stop the echo-requests from getting to the network in the first place.

 

[themut]

disable the sysopt connection permit-ipsec command and configure an ACL on the outdside interface. The sysopt... command bypasses the ACL applied to the outside interface so if you disable it the PIX will decrypt the traffic and then check the outside ACL.

 

[EddieVenus]

Doh, that is right!!! I will try that right away. You earn a star. I had forgotten all obout that. Thanks.

Eddie Venus

 

[themut]

Hey I am glad I was able to help.

 

[dopehead]

Just keep in mind that you are opening a potential security hole by opening in the outside acl from ip's that are prolly private subnets. Spoofing and such is what i am thinking.

Jan

Network Systems Engineer
CCNA/CQS

 

[EddieVenus]

dopehead

potentially true, but it would require that the person attempting to get in would have to know the IPs of both the source and dest. They would also then have to be on the same network segment to get any sort of 2 way communication. They could spoof stuff into the network assuming they knew the IPs though. All and all, it is a better fix than it sounds. In order to gain access an attacket would need to have a certain level of access to the facilities already, and that is unlikely to be a problem here. In other cases I wholly agree with you, and would not implement this fix in those cases. But for this case it is perfect.

Eddie Venus

 

[yizhar]

HI.

> ... Spoofing and such is what i am thinking

> potentially true ...

In addition, if someone knows all the info, the pix will still drop the spoofed packets because the pix knows that packets from the VPN subnet must come from within a VPN tunnel.
It is still strange that Cisco haven't yet allowed specific ACL to VPN traffic instead of combining it with the outside ACL, maybe some future release will do that.

Anyway - implementing ACL on VPN is a good idea in general because VPN becomes more and more a big door/hole in our firewalls and restricting it is common sense.

If you wish to go one step further and have the budget for it, you can purchase a VPN device such as Cisco 3015 which will give you more options to manage and control the VPN traffic.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar