|
General Cisco Forum - Cisco Systems - Hardware Software and Security News and Discussions
|
|
|
|
If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by Shawn H. Mesiatowsky on November 22, 2004, 10:08 am
I have just setup our network composed of the following, our main office has
a Pix 515 that is used for NAT and VPN for remote users and VPN for our
sattelite office which has a Pix 505. Our main office has our mail servers
and web servers that must communicate with the internet and our sattelite
office has servers that only communicate with our main office. I need to
block all unnessary ports between the two offices (that use VPN) and I need
to bloack all ports for remote users (except port 3389) that connect using
VPN. Upon reading some information on the net and reading some posts here I
thought of a way. I am currently using the sysopt connection permit-ipsec
command but it seems like I should not, and I should put Access lists on the
inside and outside interfaces. I currently do not have any access lists on
the interfaces. Will NAT also send out any broadcast messages destined
outside our subent? If I put an access list on the inside interface will it
stop this? if I put an accesslist on the outside interface do I need to
specify the ports for the Cisco VPN software and if so, which ports are
they? Thanks for your help
Sincerely,
Shawn H. Mesiatowsky
|
|
Posted by Walter Roberson on November 22, 2004, 5:28 pm
:I have just setup our network composed of the following, our main office has
:a Pix 515 that is used for NAT and VPN for remote users and VPN for our
:sattelite office which has a Pix 505. Our main office has our mail servers
:and web servers that must communicate with the internet and our sattelite
:office has servers that only communicate with our main office. I need to
:block all unnessary ports between the two offices (that use VPN) and I need
:to bloack all ports for remote users (except port 3389) that connect using
:VPN. Upon reading some information on the net and reading some posts here I
:thought of a way. I am currently using the sysopt connection permit-ipsec
:command but it seems like I should not, and I should put Access lists on the
:inside and outside interfaces. I currently do not have any access lists on
:the interfaces.
removing permit-ipsec and putting in explicit access-group's is a good
idea in any situation in which users clearly understand that
security will sometimes interfere with convenience. It can, though,
lead to awful fights in situations where users feel that they have
the "right" to access whatever content they want whenever they
want, and that they shouldn't have to ask even once.
Universities are apparently quite bad that way: professors don't
hesitate to drag in department heads and deans, and threaten to take
their grant funded work elsewhere and to discourage people from
agreeing to take positions... It's a rare university in which the
university Senate or Board of Regents is prepared to step up and say
"Your desire to avoid security is risking the computing infrastructure
of the entire university. The security *will* be implimented, and if
you aren't prepared to live with that, then you can resign and we'll
appoint your rival to your position."
:Will NAT also send out any broadcast messages destined
:outside our subent?
No. The PIX will not forward broadcasts. (Multicasts is a different
matter.)
:If I put an access list on the inside interface will it
:stop this? if I put an accesslist on the outside interface do I need to
:specify the ports for the Cisco VPN software and if so, which ports are
:they? Thanks for your help
An access-group applied to the inside interface will only affect
new flows going to outside, and the access-list will be ignored
for VPN traffic if you have the permit-ipsec option turned on.
If your outside ACL permits new connections from the other
side or if you have permit-ipsec turned on, then the adaptive
security algorithm will dynamically modify the access lists
to permit return traffic from the inside.
You could, in theory, work just with deny ACLs on the inside
interfaces of the 515 and 506 (and with permit-ipsec turned off),
but if you do so then there is always a risk that one of the
ACLs will get accidently removed, or will be out-of-synchronization
with the ACL on the other side, and then you will end up with
traffic travelling over the link that you don't really want the
other side to accept. It is safer to eny unwanted VPN traffic
on both your inside ACL and your outside ACL.
--
Warning: potentially contains traces of nuts.
|
| Similar Threads | Posted | | switch ports are blocking | February 2, 2007, 12:48 am |
| Cisco Adaptive Security Appliance goes beyond blocking ports. Is that a Microsoft-only defense? | March 2, 2007, 3:20 pm |
| MSN, ... blocking ? | September 13, 2005, 6:19 am |
| Blocking IM | November 13, 2006, 2:08 pm |
| ACL blocking dns | May 21, 2008, 4:49 pm |
| Nbar blocking | July 20, 2004, 11:13 am |
| port 67 (udp) no t blocking | March 8, 2005, 3:34 pm |
| Pix Blocking a domain?? | April 4, 2005, 11:32 am |
| Blocking myspace.com | January 3, 2006, 11:30 pm |
| blocking Bittorrent | April 17, 2006, 10:53 pm |
|
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map