RE: EAZYVPN through the PIX. Very interesting...

From: George Bekmezian (groupstudy@bekmezian.com)
Date: Sun Aug 27 2006 - 00:43:22 ART

• Next message: Angelo De Guzman: "Re(2): IGMP profile deny"
• Previous message: David Mitchell: "RE: EAZYVPN through the PIX. Very interesting..."
• Maybe in reply to: Stefan Grey: "EAZYVPN through the PIX. Very interesting..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Stefan, EZVPN does use ISAKMP and ESP for tunnel negotiation and data
delivery respectively. If you actually want to see what traffic is
entering and exiting your PIX there is a much better way to accomplish
that task than outside interface ACLs. Judging from your email, this is
just a lab environment, so it should be safe to do this. Use 'capture'
instead of access-group. This will actually show you ALL traffic similar
to the way TCPDUMP and SNOOP work on *nix/Solaris platforms. You can even
attach an ACL to the capture command to narrow down what you capture.

Good luck,

George

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Stefan Grey
Sent: Saturday, August 26, 2006 12:48 PM
To: ccielab@groupstudy.com
Subject: EAZYVPN through the PIX. Very interesting...

Hello all!
I just configured the scenario of ( Router as the Eazyvpn server and
Router
as the Eazyvpn client and realized very interesting thing)

R1 - PIX -R2
R2 -server and R1 -client. Well before I thought that Eazyvpn works
using
IPSEC. So I thought ISAKMP is used for connection establishment and ESP
traffic is used for transport of encrypted traffic. So I added to the
OUTSIDE access-list of the PIX this 3 statments (it is also added in the

Trinetnt workbook which I use):

access-list OUTSIDE; 4 elements
access-list OUTSIDE line 2 permit icmp any any (hitcnt=0)
access-list OUTSIDE line 3 permit udp any any (hitcnt=0)
access-list OUTSIDE line 4 permit esp any any (hitcnt=0)

I configured all the scenario established the relationship and pinged
two
network from both sides through the tunnel. The command show crypto
enginge
connections active shows that the packets went through the tunnel.

The most interesting thing here is that no counters at the PIX
incremented:
So it still was:

access-list OUTSIDE; 4 elements
access-list OUTSIDE line 2 permit icmp any any (hitcnt=0)
access-list OUTSIDE line 3 permit udp any any (hitcnt=0)
access-list OUTSIDE line 4 permit esp any any (hitcnt=0)
I removed all unncessary lines so that nothing was permitted in the
OUTSIDE
access list.
But without this all the connection can still establish and R2 can still

ping R1.

So here is my question:
1. EAZYVPN uses which packets?? Even when i add permit ip any any no
counter
increase.

2. Why the outside R2 can ping R1 although nothing is permitted in the
access list. I think it is out of the PIX logic because it doesn't
permit
the traffic from the outside to inside by default.

Any thoughts??? What do you thing about this all??

• Next message: Angelo De Guzman: "Re(2): IGMP profile deny"
• Previous message: David Mitchell: "RE: EAZYVPN through the PIX. Very interesting..."
• Maybe in reply to: Stefan Grey: "EAZYVPN through the PIX. Very interesting..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART