Terminating VPN tunnel on inside interface

Posted on 2006-06-19
Last Modified: 2013-11-16
Hello all.  Have a question regarding termination of vpn on the inside interface with a public address.  Currently running PIX 515 7.0(2) terminating to a 2621 router.  Is it necessary to deny the inside address within my ipsec rules?  Example

Inside interface (public address)
Trusted network  (Public address on outside interface)

access-list deny host
access-list permit ip

Question by:ebigs27
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 79

Expert Comment

ID: 16938667
Suggest this question be moved to Firewalls section:

Easy question - 250 points

LVL 79

Accepted Solution

lrmoore earned 250 total points
ID: 16941723
>Is it necessary to deny the inside address within my ipsec rules?
No. I'm not sure what you are trying to accomplish.
When you terminate the VPN on the PIX you cannot go back out to the untrusted network anyway unless you specifically allow hairpinning on the new 7.x version.

Can you be more specific in what you want to do?

Author Comment

ID: 16941980
We have to start converting all our private ip's to public.  Talked to a cisco rep and he insists we have to deny the inside address for the tunnel to work.  Currently I have the tunnels denying the inside address, then allowing the rest of the network through the tunnel.  It is working fine.  But for monitoring devices, can't ping the inside address because it is being denied through the tunnel.  

I am not trying to do anything special, just want to be able to ping the inside of the device, and was wondering if by removing the deny and using the permit only rule, would this still work?

We are not allowed to use the outside address for termination, and some of the sites will be using split tunneling.  

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

LVL 79

Expert Comment

ID: 16942127
>just want to be able to ping the inside of the device
Try using management interface:

 management Access interface inside

I don't know that you'll ever be able to ping the inside interface, but you can telnet/snmp/PDM to the inside interface through a VPN tunnel only..
LVL 79

Expert Comment

ID: 16942134
Sorry... correct command is:
    management-access inside


Author Comment

ID: 16942778
Just set my remote device to allow telnet on the outside interface.  Went in and removed the deny statement's from both ends of the tunnel.  The tunnel stayed up and I am able to ping the inside address now.  

Thanks for your help

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Difference between --update and --rcheck 1 92
Protection from Keyloggers, Spywares etc. 20 132
Sonicwall Traffic 17 109
pfsense upgrade from 2.2.6 to 2.3.3 28 89
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question