[nsp] Blocking IKE access to a PIX 501.

[Terry Baranski]

Hello.

We recently deployed a PIX 501 on our network that serves solely as a
VPN endpoint for a single customer. After it was deployed, I noticed
that port 500 was accessible globally -- I could use a tool called
IKE-Scan to get responses from port 500 on the firewall from any IP
address. 

I'm wondering if there's any way to restrict access to this port on the
firewall itself -- I'd rather not have it open to the world because it's
easy to find out what type of device it is by querying port 500. I've
never worked with a PIX before, but I've been told that simply creating
an external access list to block this traffic won't work because the
access list is overridden by the isakmp enable command.  Is there any
other way to prevent the firewall from responding to IKE queries from
unauthorized IP's other than blocking the traffic at some point in front
of the firewall?  I'm having a hard time believing that anyone (much
less Cisco) would release a VPN product that is incapable of restricting
IKE access to itself.  I understand that simply having access to the
port doesn't mean one can establish a VPN, but my concern is a) the PIX
being easily identifiable by querying port 500, and b) any possible
future vulnerabilities with PIX and IKE.

Any suggestions will be appreciated.

Thanks,
Terry