Cisco PIX 501 IKE Aggressive mode problem
We are trying to get PCI Certified and we're running into a problem with the PIX 501s we still have deployed as VPN endpoints at remote offices. One requirement of the PCIDSS is that IKE Aggressive mode must be disabled, but that is not possible on the PIX platform. I was thinking I could achieve the same result by putting access lists in place to only allow only the main firewall where the tunnels terminate to talk to the PIX on udp/500 and IP Protocol 50(esp). Here are the commands I tried to use to implement this:
access-list outin permit esp host 1.1.1.1 host 2.2.2.2
access-list outin permit udp host 1.1.1.1 eq isakmp host 2.2.2.2
access-list outin deny ip any any
access-group outin in interface outside
but they didn't seem to have the effect I was hoping they would. Am I just going down the wrong path completely? Is it even possible to achieve what I want to?
access-list outin permit esp host 1.1.1.1 host 2.2.2.2
access-list outin permit udp host 1.1.1.1 eq isakmp host 2.2.2.2
access-list outin deny ip any any
access-group outin in interface outside
but they didn't seem to have the effect I was hoping they would. Am I just going down the wrong path completely? Is it even possible to achieve what I want to?
ASKER
the PIX 501 is not able to be upgraded to version 7 because it doesn't meet the memory requirements.
you should be able to apply an access list that will block isakmp traffic and ipsec traffic to the outside interface. Check out this document:
http://www.ernw.de/download/pskattack.pdf
http://www.ernw.de/download/pskattack.pdf
ASKER
I've looked at that document in the past, and in the environment they describe the vpn is terminating at a router or some other device behind the PIX. My VPN tunnel is terminating at the PIX. The question then becomes are access-lists applied before or after the point at which the IKE handshaking takes place?
the access list will be applied to all traffic that comes into the interface.
traffic 'inside' the tunnel, or encrypted traffic will not be 'processed' by the access list.
traffic that is trying to establish a VPN tunnel will be processed by the access list.
traffic 'inside' the tunnel, or encrypted traffic will not be 'processed' by the access list.
traffic that is trying to establish a VPN tunnel will be processed by the access list.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
well, thank you for that bit of information. You may have already considered this, but the memory upgrade for the PIX is only about $100 and is pretty simple to do. I have done this to several of my old firewalls.
ASKER
PIX 501 can't be upgraded as far as I am aware. If you know something I don't please let me know. I was under the impression that only PIX 515 and higher were upgradeable to the version 7 firmware.
https://www.experts-exchange.com/questions/23301217/How-do-I-disable-aggressive-mode.html
i believe that once the PIX is upgraded to v7, you can disable the aggressive mode.