From: Brent Schultz (brent@mail.happens.com)
Date: Thu Feb 06 2003 - 16:58:52 GMT-3
Ian-
For this example, say that we want to allow the following over the vpn:
-allow ICMP traffic to and from LAN_A to and from LAN_B
-only host_A to be able to telnet to host_B and no other traffic originating from LAN_A destine for any host on LAN_B
-any host on LAN_B to be able to ftp to host_A and no other traffic originating from LAN_B destine for any host on LAN_A
host_A ---LAN_A---PIX_A---internet---PIX_B---host_B---LAN_B
LAN_A 10.1.1.0/24
host_A 10.1.1.10
LAN_B 192.168.1.0/24
host_B 192.168.1.10
PIX_A access-lists:
access-list outside permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-lsit outside permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.10 range 20 21
access-list outside ... (any existing)
access-list vpn permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
PIX_B access-lists:
access-list outside permit icmp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside permit tcp host 10.1.1.10 host192.168.1.10 eq 23
access-list outside ... (any existing)
access-list vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
It really is pretty easy.
-Brent
---------- Original Message ----------------------------------
From: "Stong, Ian C [GMG]" <Ian.C.Stong@mail.sprint.com>
Date: Thu, 6 Feb 2003 12:48:33 -0600
>I'd be interested as well as I would prefer to lock down the inbound IPSEC
>connections to specific ports and hosts if possible.
>
>Thanks
>
>-----Original Message-----
>From: Brent Schultz [mailto:brent@mail.happens.com]
>Sent: Thursday, February 06, 2003 1:20 PM
>To: Ccielab group study
>Subject: Re: No Sysop connection permit IPSEC
>
>
>Josh-
>
>I am successfully doing this on several installs (mainly PIX to checkpoint,
>but I do have a couple of PIX to PIX).
>I have not had any real issues (other that changing how I was thinking
>about/approaching the configs).
>If you would like to look at a working config or have any specific
>questions, I would be happy to help.
>
>-Brent
>
>---------- Original Message ----------------------------------
>From: "Perrymon, Josh L." <PerrymonJ@bek.com>
>Reply-To: "Perrymon, Josh L." <PerrymonJ@bek.com>
>Date: Thu, 6 Feb 2003 10:59:35 -0600
>
>>Question,
>>
>>The command " Sysop Connection Permit IPSEC"
>>allows all IPSEC traffic to come inbound the firewall and bypass ACL's .
>>It relies on the crypto map to verify encryption domains.
>>
>>I would like to remove the sysop connection permit IPSEC so I can control
>>access to ports on certain servers.
>>
>>I now it will work- BUT, is anyone else doing this... And what has your
>>experience been with this.
>>I know that the crypto maps know to allow IPSEC ports but then I have to
>>allow IP traffic.
>>
>>
>>Any Ideas.. Or thoughts...
>>
>>Joshua Perrymon
>>Network Security Consultant
>>BE&K Information Security Dept.
>>2000 International Park Drive
>>Birmingham, Al 35243
>>Voice ( 205 ) 972-6745
>>.
>.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:13 GMT-3