RE: PIX sysopt connection permit-ipsec

From: Scott Morris (swm@emanon.com)
Date: Tue Sep 05 2006 - 05:23:00 ART

• Next message: Scott Morris: "RE: QOS - Simple"
• Previous message: Angelo De Guzman: "Re(2): QOS - Simple"
• Maybe in reply to: 2nd CCIE: "PIX sysopt connection permit-ipsec"
• Next in thread: Petr Lapukhov: "Re: PIX sysopt connection permit-ipsec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It all has to do with the order of operations on the PIX with why they chose
wording like that. When an encrypted packet comes in, and becomes
decrypted, the question is whether that process happens all over again
(which can lead to some large and ugly configurations, but it depends on how
much you trust your VPN peers).

In order to pass IPSec tunnels THROUGH a PIX, it works like any other
connection does. The permissions need to be setup. Which means you have to
permit isakmp (udp/500), and protocols ESP and AH. You may also need to
permit things like tcp/udp 4500 or 10000 depending on what devices you are
peering together and whether you have NAT-T enabled.

So play around a little bit with those things, but you must specifically
have permissions setup on the PIX to allow passthrough tunnels like that.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Petr
Lapukhov
Sent: Tuesday, September 05, 2006 1:56 AM
To: 2nd CCIE
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: PIX sysopt connection permit-ipsec

Needless to say, that tunnel has to terminate on PIX interface for that
'bypass'
to be possible.

2006/9/5, Petr Lapukhov <petr@internetworkexpert.com>:
>
> hey, i think i get it :)
>
> it seems like that "decapsulated" traffic bypasses access-list check
> with this command.
>
> Just like with IOS, until 12.3(8)T when they double check inbound
> access-list for decrypted packets (again).
>
> It looks like with this pix command, decrypted packets bypass inbound ACL.
>
> Thanks a lot for that question, I was always guessing what this
> command actually does :)
>
>
> HTH
>
>
> 2006/9/5, 2nd CCIE <doubleccie@yahoo.com>:
> >
> > thanks for confirming that ..however i will copy the command
> > reference as it is on the command reference guide which caused me
> > this confusion , as you will see it says connections that pass
> > through the pix ..nothing mentioned about terminating on the PIX
> >
> > thanks anyway
> >
> >
> > sysopt connection permit-ipsec
> > Use the sysopt connection permit-ipsec command in IPSec
> > configurations to permit IPSec traffic to pass through the PIX
> > Firewall without a check of conduit or access-list command statements.
> > An access-list or conduit command statement must be available for
> > inbound sessions. By default, any inbound session must be explicitly
> > permitted by a conduit or access-list command
> > statement. With IPSec protected traffic, the secondary access list
> > check could be redundant. To enable
> > IPSec authenticated/cipher inbound sessions to always be
> > permitted, use the sysopt connection permit-ipsec.
> >
> >
> >
> >
> > Petr Lapukhov <petr@internetworkexpert.com> wrote:
> > AFAIK,
> >
> > "permit-ipsec" permits IPsec traffic that terminates on PIX itself,
> > not across the PIX .
> >
> > That is, when you enable ISAKMP on outside interface, you probably
> > don't wan't PIX to accept ESP/AH packets from anywhere. Just from
> > established IPsec tunnels.
> >
> > HTH
> >
> > 2006/9/5, 2nd CCIE < doubleccie@yahoo.com>: Hi Folks
> > I am trying to establish a tunnel between two routers across a PIX
> > firewall .
> >
> > when i explicitly allow upd 500 and ESP on the PIX outside
> > interface ..everything goes well...however when i replace that with
> > the command sysopt conn permit-ipsec ..it does not work
> >
> > according to the Cisco docs ..this command is used to allow the
> > IPSEC traffic to traverse the PIX..but this does not happen ..what i
> > am missing here ?
> >
> > any help will be appreciated
> >
> >
> > ---------------------------------
> > Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and
> > 30+
> > countries) for 2"/min or less.
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Petr Lapukhov, CCIE #16379
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> >
> >
> > ---------------------------------
> > Get your email and more, right on the new Yahoo.com
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>

--
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Scott Morris: "RE: QOS - Simple"
• Previous message: Angelo De Guzman: "Re(2): QOS - Simple"
• Maybe in reply to: 2nd CCIE: "PIX sysopt connection permit-ipsec"
• Next in thread: Petr Lapukhov: "Re: PIX sysopt connection permit-ipsec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART