Re: Cisco VPN Client config on 515
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Wed, 19 Apr 2006 01:23:44 GMT
In article <1145396405.016488.231300@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
AJ <aragorn.m@xxxxxxxxx> wrote:
So it works but I am wondering just how secure it is...
Essentially I will end up with an ACL on my outside interface allowing
10.18.0.0/24 into my internal network (I know I can control ports and
destination IPs etc) but this is my protected network. Is this a good
idea? Granted the IP on my outside interface has a public IP but isn't
it possible to get packets to arrive at the outside interface which
appear to originate from 10.18.0.0/24 without that traffic going over
my VPN tunnel?
Yes, if the sending network does not follow RFC1918 rules and permits
10.18.0/24 to be pass out of their network, then it is possible that
nothing inbetween will filter the packets, and that they would arrive
at your PIX interface if they are addressed to any of your public IPs.
If you are using private IPs internally, part of the solution to that is to
permit the private IPs of the VPN to go only to the private IPs of the
LAN: then the packets would not be able to get to your PIX unless
the next-hop for some reason routes that IP range to your PIX.
Even if you do not do that, the PIX should notice that the source IP
was not received over the VPN as expected and should drop the packet.
The message is roughly "Received packet is not an IPSec packet".
The PIX actively checks for IPs that should be tunneled but which are
arriving directly.
.
- References:
- Cisco VPN Client config on 515
- From: AJ
- Re: Cisco VPN Client config on 515
- From: Walter Roberson
- Re: Cisco VPN Client config on 515
- From: AJ
- Cisco VPN Client config on 515
- Prev by Date: Re: OSPF recalc
- Next by Date: Re: Identify a 7960G vs 7960
- Previous by thread: Re: Cisco VPN Client config on 515
- Next by thread: Connect Windows XP VPN Client to Cisco 1800 series
- Index(es):
Relevant Pages
|
