How does this config work?

Tina Bird tbird at precision-guesswork.com
Sun Jul 8 11:33:37 EDT 2001


Hi Dale --

The UDP/ISAKMP conduit on the PIX is allowing the
digital certificate authentication and dynamic
key management between the PC and the remote peer.
It introduces a risk, in that you now have to allow
UDP traffic through your PIX -- but it gives you the
benefit of stronger authentication between the PC
and the peer, as well as dynamic key generation.
As usual the question to consider is which risk 
concerns you more -- the risk of an attacker 
compromising your shared secret and keys if you
close the UDP conduit and revert to shared secrets
and manual keying (ick, IMNSHO), or the risks
associated with allowing UDP through your firewall.

Have you taken a look at the PIX documentation in the
how-to section of the VPN web page?  It might help to
compare what you've got to another configuration.

cheers -- tbird

On Sun, 8 Jul 2001, Shaw, Dale wrote:

> Date: Sun, 8 Jul 2001 20:06:35 +1000 
> From: "Shaw, Dale" <Dale.Shaw at praxa.com.au>
> To: vpn at securityfocus.com
> Subject: How does this config work?
> 
> Hi all,
> 
> I guess questions are usually along the lines of 'how do I get this to
> work?'.. well, this one's different. I've inherited it, it's working,
> and I don't really know how :-)
> 
> The scenario is this.. PIX firewall running (old) V4.4(1), PC on 'inside'
> network with the old 'Cisco Secure VPN Client' (V1.0 or V1.1 - not sure
> yet) accessing a host on the Internet over an IPSec VPN. I don't know
> what the peer is, but I presume it's a Cisco somethingorother.
> 
> The PC has an RFC1918 address and the PIX *IS* doing NAT. The PIX has a
> 'static' IP assignment mapping the internal host's IP to a global address
> and although DHCP is in use on the inside network, this particular PC
> has a reservation so it's effectively static.
> 
> Now, I thought that transport-mode ESP and NAT didn't play well or at
> all.. am I missing something? The PC uses a digital certificate for
> authentication if that makes any difference. I'm investigating this
> because I want to tighten up the conduits on the PIX - am I right in
> saying that the only conduits I need for this are for ESP from the peer
> to the global address of our PC?
> 
> Right now there are a bunch of udp/isakmp and esp conduits.
> 
> Cheers,
> Dale
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list