Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [VPN] Complete VPN access to all PIX interfaces
.

  • To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: Re: [VPN] Complete VPN access to all PIX interfaces
  • From: Scott Nursten <[EMAIL PROTECTED]>
  • Date: Fri, 25 Apr 2003 10:25:36 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
Jorge, 

This is easily solved. One solution is, on your other interfaces, do the
following: 

access-list dmz3 deny ip z.z.z.z 255.255.255.0 y.y.y.y 255.255.255.0
access-list dmz3 permit ip any any
access-group dmz3 in interface dmz3

Another solution would be to match interesting traffic on your dynamic-map:

 access-list DYNCRYPTO permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
 crypto dynamic-map dynmap 30 match address DYNCRYPTO

It is a good idea to have a separate acl for this as you may want to have
disparate nat 0 and crypto acl's.

Option one blocks traffic going to y.y.y.y _before_ it enters this pix - ie.
As it hits the interface. Option two blocks traffic _before_ it enters the
tunnel, ie _after_ it's "entered" the firewall ASA.

Hope this helps. 

-- 
Scott Nursten 
-------------------
S2S Consultants
http://s2s.ltd.uk
[EMAIL PROTECTED]
Tel: 0870 350 4525
Fax: 0870 350 4526
-------------------

_______________________________________________
VPN mailing list
[EMAIL PROTECTED]
http://lists.shmoo.com/mailman/listinfo/vpn
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.