Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN tunnel Question

Status
Not open for further replies.
ianbla

ianbla

IS-IT--Management
Oct 31, 2001
156
GB
We have a customer who we can VPN into to perform checks. Now if the consultant on the internal LAN VPN's into the client does all traffic then bypass the Firewall rules because it is in an encrypted tunnel? eg port 1434 is not allowed through the firewall but could this pass through the tunnel?
 
Sort by date Sort by votes
The answer is Yes, assuming your access-list for VPN traffic is permitting everything (IP). There is only one exeption: If you have an access-list on your INSIDE interface, it's rules will be checked before the traffic goes to the VPN tunnel.
 
Upvote 0 Downvote
With the tunnel starting between the consultants laptop and the client system wouldn't this also be ignored once the tunnel was established as all the data would be encrypted.
 
Upvote 0 Downvote
NO. The access list on the inside interface acts on all traffic coming to the inside interface from inside. The encryption is normally done at the inside interface after the access lists are processed. Think of the interface having two sides - lan side and router side. The access-lists work on the lan side and the encryption is done on the router side before being shoved out the WAN interface to the other router.
 
Upvote 0 Downvote
I thought the VPN software sitting on the laptop would encrypt/decrypt and thus bypass the firewall ACL's.

If I look at the SYSLOG I can see the initial connection and then nothing.
 
Upvote 0 Downvote
I misunderstood. TBISSETT is right - the access lists at your end are bypassed. Where does the tunnel end? You might want to put an access-list at that end. Alternately remove SQL from the connecting laptop.
 
Upvote 0 Downvote
HI.

Yes, the VPN traffic is hidden to the pix (unless the pix is a peer which is not the case here).

You should not worry too much about this because:
A. The tunnel is establish on demand and only from your side (consultant) to the other remote network.
Your consultant acts as a VPN client only and will/should not act as VPN server for reverse sessions.
B. Once the VPN tunnel is established, the consultant's computer does not act as a router, which means that the remote VPN side cannot forward packets to your SQL server via the VPN tunnel.

However you should verify that the computer of the consultant does not share its C drive over the VPN tunnel, as this could be risky.
This depends on the VPN client software you have, and anyway you should not share the C drive at all, which is probably the current status.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
611
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
216
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
754
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
165
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
171
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top