LISTSERV - HP3000-L Archives

HP3000-L Archives

November 2002, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L November 2002, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: PIX Firewall configuration
From:	Eben Yong <[log in to unmask]>
Reply To:	Eben Yong <[log in to unmask]>
Date:	Thu, 14 Nov 2002 12:13:01 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

Interesting.  Our PIX firewall was set up about 3 years ago by some
consultants.  The only outbound and apply commands (to prevent some
users from accessing the Internet):

outbound   1 deny 192.168.11.224 255.255.255.224 0 0
apply (inside) 1 outgoing_src

Yes, I am trying to go from inside to outside--connecting from behind
our PIX to a VPN outside the PIX.  Would adding these statements open up
the necessary protocols & ports without 'breaking' anything else (where
1.2.3.4 is the external IP of the VPN)? --

Outbound 50 permit 1.2.3.4 255.255.255.255 500 udp
Outbound 50 permit 1.2.3.4 255.255.255.255 10000 udp
Outbound 50 permit 1.2.3.4 255.255.255.255 0 esp
Apply (inside) 50 outgoing_dest

-----Original Message-----
From: Jeff Kell [mailto:[log in to unmask]] 
Sent: Thursday, November 14, 2002 11:29 AM
To: Eben Yong; HP3000-L List
Subject: Re: [HP3000-L] OT: PIX Firewall configuration

Eben Yong wrote:
> 
> Hi Folks,
> 
> I've also posted this message to comp.security.firewalls but was
hoping
> that perhaps a potential CISCO guru might scan this and offer some
help.
> Am trying to connect from behind the PIX to a VPN and am told that I
> need to do this:
> 
> > The things you need to open up through the firewall software is
> > Protocol 50 (ESP), UDP port 500 (ISAKMP), and UDP port 10000 (IPSec
> > thru NAT)
> 
> 1.  I am thinking that the configuration needs to be modified using
the
> fixup and conduit commands.  Is this true?
> 
> 2.  If true, would these commands accomplish the task (where 1.2.3.4
is
> the IP address of the host VPN):
>     a.  fixup protocol udp 500
>     b.  fixup protocol udp 10000
>     c.  conduit permit udp host 1.2.3.4 any
>     d.  conduit permit esp host 1.2.3.4 any

No fixups for VPN (no secondary channels).
Conduits are deprecated, use ACLs.
If you're going from inside to outside, you shouldn't need ACLs; but if
you have one, it should allow the protocols and ports above.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU