Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Wed, 27 Sep 2006 10:12:48 -0700

Vahid Pazirandeh wrote:
Quick version:
1. I don't want VPN access open to the entire world.  Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?

I have a Cisco PIX 515E with 7.2(1) software up and running.  I'm very new to
VPN in general, but remote access VPN is working.

I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!).  How can I deny them?  I feel strange having the VPN so
exposed to port scanning.

I did find the "set peer" option:
crypto dynamic-map dyn1 1 set  peer

which would only allow VPN clients having IP to login, but the problem
is they still receive a login prompt.  Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).

kind regards,

 "Make it better before you make it faster."

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

Okay -
How will you try to restrict access based on ACL's for remote access 
VPN. Think about all the DHCP users (Like broadband connection or 
dialup) who will be logging in and their IP address is not guaranteed to 
be static(same) all the time.

That why you have Remote access VPN instead of LAN2LAN tunnel!. Well I 
am not saying you cannot do that, but it kinda defeats the purpose for me.

Infact do not trust anything either hostnames or IP's. Use secure keys 
and you will be safe, that is relatively.

BTW the first process of any VPN is IKE, which actually listens on port 
500. Now, 10000 is the standard PIX port for receiving and sending IPSec 
traffic, why would you want to put ACL's on the port which is meant for 
receiving and sending IPSec packets. If your ACLs are bad!, then it will 
result in bad connectivity for the users whom you think need to use it.
Paranoia is fine with security, but dont be over paranoid. PIX is 
relatively more secure and it is smart enough to allow only the traffic 
that it trusts to go thru it (which BTW depends on your config).

Hope this helps.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]