We are trying to get PCI Certified and we're running into a problem with the PIX 501s we still have deployed as VPN endpoints at remote offices. One requirement of the PCIDSS is that IKE Aggressive mode must be disabled, but that is not possible on the PIX platform. I was thinking I could achieve the same result by putting access lists in place to only allow only the main firewall where the tunnels terminate to talk to the PIX on udp/500 and IP Protocol 50(esp). Here are the commands I tried to use to implement this:
access-list outin permit esp host 184.108.40.206 host 220.127.116.11
access-list outin permit udp host 18.104.22.168 eq isakmp host 22.214.171.124
access-list outin deny ip any any
access-group outin in interface outside
but they didn't seem to have the effect I was hoping they would. Am I just going down the wrong path completely? Is it even possible to achieve what I want to?