Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

Terminating VPN tunnel on inside interface

Hello all.  Have a question regarding termination of vpn on the inside interface with a public address.  Currently running PIX 515 7.0(2) terminating to a 2621 router.  Is it necessary to deny the inside address within my ipsec rules?  Example

Inside interface 192.168.1.1 (public address)
Trusted network  192.168.2.0  (Public address on outside interface)

access-list deny host 192.168.1.1 192.168.2.0 255.255.255.0
access-list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Thanks
0
ebigs27
Asked:
ebigs27
  • 4
  • 2
1 Solution
 
lrmooreCommented:
Suggest this question be moved to Firewalls section:
http://www.experts-exchange.com/Security/Firewalls/

Easy question - 250 points

0
 
lrmooreCommented:
>Is it necessary to deny the inside address within my ipsec rules?
No. I'm not sure what you are trying to accomplish.
When you terminate the VPN on the PIX you cannot go back out to the untrusted network anyway unless you specifically allow hairpinning on the new 7.x version.

Can you be more specific in what you want to do?
0
 
ebigs27Author Commented:
We have to start converting all our private ip's to public.  Talked to a cisco rep and he insists we have to deny the inside address for the tunnel to work.  Currently I have the tunnels denying the inside address, then allowing the rest of the network through the tunnel.  It is working fine.  But for monitoring devices, can't ping the inside address because it is being denied through the tunnel.  

I am not trying to do anything special, just want to be able to ping the inside of the device, and was wondering if by removing the deny and using the permit only rule, would this still work?

We are not allowed to use the outside address for termination, and some of the sites will be using split tunneling.  

0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
lrmooreCommented:
>just want to be able to ping the inside of the device
Try using management interface:

 management Access interface inside

I don't know that you'll ever be able to ping the inside interface, but you can telnet/snmp/PDM to the inside interface through a VPN tunnel only..
0
 
lrmooreCommented:
Sorry... correct command is:
    management-access inside

0
 
ebigs27Author Commented:
Just set my remote device to allow telnet on the outside interface.  Went in and removed the deny statement's from both ends of the tunnel.  The tunnel stayed up and I am able to ping the inside address now.  

Thanks for your help
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now