[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
pgurumu at gmail.com
Wed Sep 27 13:12:48 EDT 2006
Vahid Pazirandeh wrote:
> Quick version:
> 1. I don't want VPN access open to the entire world. Is there a way to limit
> its access with ACLs?
> 2. A follow-up question: can I restrict access to VPN clients based on their
> hostnames instead of IPs?
> I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to
> VPN in general, but remote access VPN is working.
> I tried using IPSec over TCP (which works), but even if I have a "deny ip any
> any" rule for the outside interface, TCP connections are still permitted to the
> VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so
> exposed to port scanning.
> I did find the "set peer" option:
>> crypto dynamic-map dyn1 1 set peer 18.104.22.168
> which would only allow VPN clients having IP 22.214.171.124 to login, but the problem
> is they still receive a login prompt. Is there a way to hide the VPN entirely
> (like just dropping the pkts for unknown clients).
> kind regards,
> "Make it better before you make it faster."
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
How will you try to restrict access based on ACL's for remote access
VPN. Think about all the DHCP users (Like broadband connection or
dialup) who will be logging in and their IP address is not guaranteed to
be static(same) all the time.
That why you have Remote access VPN instead of LAN2LAN tunnel!. Well I
am not saying you cannot do that, but it kinda defeats the purpose for me.
Infact do not trust anything either hostnames or IP's. Use secure keys
and you will be safe, that is relatively.
BTW the first process of any VPN is IKE, which actually listens on port
500. Now, 10000 is the standard PIX port for receiving and sending IPSec
traffic, why would you want to put ACL's on the port which is meant for
receiving and sending IPSec packets. If your ACLs are bad!, then it will
result in bad connectivity for the users whom you think need to use it.
Paranoia is fine with security, but dont be over paranoid. PIX is
relatively more secure and it is smart enough to allow only the traffic
that it trusts to go thru it (which BTW depends on your config).
Hope this helps.
More information about the firewall-wizards