Solved

Terminating VPN tunnel on inside interface

Posted on 2006-06-19
8
569 Views
Last Modified: 2013-11-16
Hello all.  Have a question regarding termination of vpn on the inside interface with a public address.  Currently running PIX 515 7.0(2) terminating to a 2621 router.  Is it necessary to deny the inside address within my ipsec rules?  Example

Inside interface 192.168.1.1 (public address)
Trusted network  192.168.2.0  (Public address on outside interface)

access-list deny host 192.168.1.1 192.168.2.0 255.255.255.0
access-list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Thanks
0
Comment
Question by:ebigs27
  • 4
  • 2
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16938667
Suggest this question be moved to Firewalls section:
http://www.experts-exchange.com/Security/Firewalls/

Easy question - 250 points

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 16941723
>Is it necessary to deny the inside address within my ipsec rules?
No. I'm not sure what you are trying to accomplish.
When you terminate the VPN on the PIX you cannot go back out to the untrusted network anyway unless you specifically allow hairpinning on the new 7.x version.

Can you be more specific in what you want to do?
0
 

Author Comment

by:ebigs27
ID: 16941980
We have to start converting all our private ip's to public.  Talked to a cisco rep and he insists we have to deny the inside address for the tunnel to work.  Currently I have the tunnels denying the inside address, then allowing the rest of the network through the tunnel.  It is working fine.  But for monitoring devices, can't ping the inside address because it is being denied through the tunnel.  

I am not trying to do anything special, just want to be able to ping the inside of the device, and was wondering if by removing the deny and using the permit only rule, would this still work?

We are not allowed to use the outside address for termination, and some of the sites will be using split tunneling.  

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16942127
>just want to be able to ping the inside of the device
Try using management interface:

 management Access interface inside

I don't know that you'll ever be able to ping the inside interface, but you can telnet/snmp/PDM to the inside interface through a VPN tunnel only..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16942134
Sorry... correct command is:
    management-access inside

0
 

Author Comment

by:ebigs27
ID: 16942778
Just set my remote device to allow telnet on the outside interface.  Went in and removed the deny statement's from both ends of the tunnel.  The tunnel stayed up and I am able to ping the inside address now.  

Thanks for your help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
pfSense and Sophos Mobile Control Security 4 98
Watchguard Firewall monitoring 1 630
Sonicwall Email los and Alerts 1 60
Network Activities  please help 16 76
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question