|
|
Question : Problem: PIX 501 - VPN Configuration question
|
|
I opened a question a while back that was answered but I'm questioning the security around it. I am trying to access my corporate network with my VPN client software from home. At home I have a PIX 501 that I sit behind. When I launch the Cisco VPN client software, I get the authentication prompt from my 3030 at work. I login and everything appears to be connected. BUT I cannot access anything on the network at my work.
In the previous solution, someone mentioned I needed to setup esp in order to allow vpn connectivity through my 501 pix at home. This is the configuration I put on my home 501 pix:
nameif ethernet0 outside security0 fixup protocol esp-ike access-list whacky_rule permit esp any any access-group whacky_rule in interface outside
After putting this rule in place, I can now successfully VPN to my 3030 at work. I don't understand why this was needed since I am establishing an outbound connection from a higher level security interface to a lower interface. Second question, and most important... This access list appears to open up all ESP traffic in to my private network.. Correct? Is this not a security problem?
Additional Info that you may be interested in VPN Client software version: 4.0.2(d) PIX version: 6.3(3) Diagram of my situation VPN client software -> PIX 501 -> broadband Internet -> Cisco 3030 -> Private Network
|
Answer : Problem: PIX 501 - VPN Configuration question
|
|
An IPSEC type of VPN uses UDP port 500 for authentication and key exchange and then the actual data is encrypted and sent across as ESP packets (IP protocol number 50). The problem with ESP is that it uses a different session ID per direction which makes it very difficult for firewalls to track each VPN session going through it. This is why products like Linksys only support a single VPN session passing through themselves as this way all they need to do is if they see an outgoing ESP packet they simply forward all incoming ESP packets to the same internal host.
With regard to security of ESP packets the only application which will be listening to them is the VPN client running on the computer. Any incoming packets need to come from a host which already has a VPN session established (using udp port 500 and secure password exchange) and contains the correct ID, and is encrypted using the correct key which was negotiated with the other end. Permitting ESP to any machine is therefore safe.
If you permit traffic coming into the outside interface of the PIX then it can go to an internal machine only if there is a static NAT translation in place. In your case the 'fixup' command adds the temprary static translation when it sees the IKE (UDP port 500) VPN negotiation. Therefore the PIX will only forward the ESP packet onto an internal machine if that machine has established a VPN to that external server. If anyone else tries to send an ESP packet then it wont be passed on and the PIX will just ignore it.
Adding those lines will cause some problems when connecting to the PIX via VPN in some circumstances. I cant remember what they are off hand. Adding NAT-T to your PIX would not make any difference apart from improving the chance that you will be able to connect to your PIX from elsewhere over VPN.
I would enable NAT-T on to 3030 and then you wont need to change your PIX config and it should work. You will also then be able to turn off the IPSEC Passthru feature on the Linksys and be able to have more than 1 simultaneous VPN connection through it.
|
|
|