Solved

Cisco PIX 501 IKE Aggressive mode problem

Posted on 2008-10-08
8
1,988 Views
Last Modified: 2008-10-21
We are trying to get PCI Certified and we're running into a problem with the PIX 501s we still have deployed as VPN endpoints at remote offices.  One requirement of the PCIDSS is that IKE Aggressive mode must be disabled, but that is not possible on the PIX platform.  I was thinking I could achieve the same result by putting access lists in place to only allow only the main firewall where the tunnels terminate to talk to the PIX on udp/500 and IP Protocol 50(esp).  Here are the commands I tried to use to implement this:

access-list outin permit esp host 1.1.1.1 host 2.2.2.2
access-list outin permit udp host 1.1.1.1 eq isakmp host 2.2.2.2
access-list outin deny ip any any
access-group outin in interface outside

but they didn't seem to have the effect I was hoping they would.  Am I just going down the wrong path completely?  Is it even possible to achieve what I want to?
0
Comment
Question by:ruffalocody
  • 4
  • 4
8 Comments
 
LVL 10

Expert Comment

by:ngravatt
ID: 22680905
is it possible to upgrade your PIX to a later version?  
http://www.experts-exchange.com/Networking/Security/IPSec/Q_23301217.html

i believe that once the PIX is upgraded to v7, you can disable the aggressive mode.
0
 

Author Comment

by:ruffalocody
ID: 22680933
the PIX 501 is not able to be upgraded to version 7 because it doesn't meet the memory requirements.
0
 
LVL 10

Expert Comment

by:ngravatt
ID: 22681138
you should be able to apply an access list that will block isakmp traffic and ipsec traffic to the outside interface.  Check out this document:

http://www.ernw.de/download/pskattack.pdf

0
 

Author Comment

by:ruffalocody
ID: 22681894
I've looked at that document in the past, and in the environment they describe the vpn is terminating at a router or some other device behind the PIX.  My VPN tunnel is terminating at the PIX.  The question then becomes are access-lists applied before or after the point at which the IKE handshaking takes place?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 10

Expert Comment

by:ngravatt
ID: 22731657
the access list will be applied to all traffic that comes into the interface.

traffic 'inside' the tunnel, or encrypted traffic will not be 'processed' by the access list.

traffic that is trying to establish a VPN tunnel will be processed by the access list.
0
 

Accepted Solution

by:
ruffalocody earned 0 total points
ID: 22731961
I've conversed with a Cisco rep and it was determined that it is impossible to do what I need to do without another device in front of the PIX doing the filtering.  VPN negation takes place before traffic passes through any access-lists on the PIX 501 platform.
0
 
LVL 10

Expert Comment

by:ngravatt
ID: 22732072
well, thank you for that bit of information.  You may have already considered this, but the memory upgrade for the PIX is only about $100 and is pretty simple to do.  I have done this to several of my old firewalls.
0
 

Author Comment

by:ruffalocody
ID: 22732115
PIX 501 can't be upgraded as far as I am aware.  If you know something I don't please let me know.  I was under the impression that only PIX 515 and higher were upgradeable to the version 7 firmware.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Trunk and Port Security 4 41
PEAP authentication 7 29
Connecting to CISCO 4402 WLC 3 11
Cisco 3560 switches not seeing VTP V3 12 13
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Let’s list some of the technologies that enable smooth teleworking. 
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now