Subject: | |
From: | |
Reply To: | |
Date: | Thu, 14 Nov 2002 12:13:01 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Interesting. Our PIX firewall was set up about 3 years ago by some
consultants. The only outbound and apply commands (to prevent some
users from accessing the Internet):
outbound 1 deny 192.168.11.224 255.255.255.224 0 0
apply (inside) 1 outgoing_src
Yes, I am trying to go from inside to outside--connecting from behind
our PIX to a VPN outside the PIX. Would adding these statements open up
the necessary protocols & ports without 'breaking' anything else (where
1.2.3.4 is the external IP of the VPN)? --
Outbound 50 permit 1.2.3.4 255.255.255.255 500 udp
Outbound 50 permit 1.2.3.4 255.255.255.255 10000 udp
Outbound 50 permit 1.2.3.4 255.255.255.255 0 esp
Apply (inside) 50 outgoing_dest
-----Original Message-----
From: Jeff Kell [mailto:[log in to unmask]]
Sent: Thursday, November 14, 2002 11:29 AM
To: Eben Yong; HP3000-L List
Subject: Re: [HP3000-L] OT: PIX Firewall configuration
Eben Yong wrote:
>
> Hi Folks,
>
> I've also posted this message to comp.security.firewalls but was
hoping
> that perhaps a potential CISCO guru might scan this and offer some
help.
> Am trying to connect from behind the PIX to a VPN and am told that I
> need to do this:
>
> > The things you need to open up through the firewall software is
> > Protocol 50 (ESP), UDP port 500 (ISAKMP), and UDP port 10000 (IPSec
> > thru NAT)
>
> 1. I am thinking that the configuration needs to be modified using
the
> fixup and conduit commands. Is this true?
>
> 2. If true, would these commands accomplish the task (where 1.2.3.4
is
> the IP address of the host VPN):
> a. fixup protocol udp 500
> b. fixup protocol udp 10000
> c. conduit permit udp host 1.2.3.4 any
> d. conduit permit esp host 1.2.3.4 any
No fixups for VPN (no secondary channels).
Conduits are deprecated, use ACLs.
If you're going from inside to outside, you shouldn't need ACLs; but if
you have one, it should allow the protocols and ports above.
Jeff
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|