Firewall Wizards mailing list archives
Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Wed, 27 Sep 2006 10:12:48 -0700
Vahid Pazirandeh wrote:
Quick version: 1. I don't want VPN access open to the entire world. Is there a way to limit its access with ACLs? 2. A follow-up question: can I restrict access to VPN clients based on their hostnames instead of IPs? I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to VPN in general, but remote access VPN is working. I tried using IPSec over TCP (which works), but even if I have a "deny ip any any" rule for the outside interface, TCP connections are still permitted to the VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so exposed to port scanning. I did find the "set peer" option:crypto dynamic-map dyn1 1 set peer 1.2.3.4which would only allow VPN clients having IP 1.2.3.4 to login, but the problem is they still receive a login prompt. Is there a way to hide the VPN entirely (like just dropping the pkts for unknown clients). kind regards, Vahid ============================================= "Make it better before you make it faster." ============================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Okay - How will you try to restrict access based on ACL's for remote access VPN. Think about all the DHCP users (Like broadband connection or dialup) who will be logging in and their IP address is not guaranteed to be static(same) all the time. That why you have Remote access VPN instead of LAN2LAN tunnel!. Well I am not saying you cannot do that, but it kinda defeats the purpose for me. Infact do not trust anything either hostnames or IP's. Use secure keys and you will be safe, that is relatively. BTW the first process of any VPN is IKE, which actually listens on port 500. Now, 10000 is the standard PIX port for receiving and sending IPSec traffic, why would you want to put ACL's on the port which is meant for receiving and sending IPSec packets. If your ACLs are bad!, then it will result in bad connectivity for the users whom you think need to use it. Paranoia is fine with security, but dont be over paranoid. PIX is relatively more secure and it is smart enough to allow only the traffic that it trusts to go thru it (which BTW depends on your config). Hope this helps. Prabhu _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames Vahid Pazirandeh (Sep 19)
- Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames M.L. (Sep 19)
- Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames Prabhu Gurumurthy (Sep 27)