L2L PIX 6.3 to Checkpoint NG Port restrictions

stuartngilson · ‎03-20-2007

I can establish a VPN L2L between my PIX 515 and checkpoint NG, when i have the cryptomaps set to IP. When i restrict the cryptomaps to ftp. The connection fails. On debug as part of phase 2 i cannot see any port set in the packet being received. The techy working on the NG does not know of a way of setting which ports are specified as part of the phase 2 setup. Does anybody know how to specify this?

kaachary · ‎03-20-2007

PIX doesn't support Port based crypto Access-list. It has to be ip based on both the devices.

-Kanishka

stuartngilson · ‎03-21-2007

Sorry i do not think i explained this correctly. It is the ACL's applied to the IPsec tunnel that i have configured to only allow ftp. But the packet i receive from the Checkpoint does not have any port specified as part of the ACL.

kaachary · ‎03-21-2007

ACL's applied to IPSec tunnel...What does that mean ? ARe we talking abt the ACLs in crypto Map ?

If yes, this is what you call a crypto ACL. PIX doesn't support port based crypto ACL, you can not restrict it to ports.

If we are talking about an interface based ACL, then it has nothing to do with Phase 2 not coming up, if you have "sysopt connection permit-ipsec" applied.

-Kanishka

kaachary · ‎03-21-2007

Hi Jon,

You can define port bassed ACL in crypto Map, but it rarely works, and its not recommended.

The other way to restrict the traffic is, as you mentioned , by disabling "sysopt connection permit-ipsec" and restricting on the outside ACL.

If its a PIX with 7.X code, you can have "group-filter" configured doing the same job, this way you do not have to disable sysopt..

Port based ACL in crypto map, I've never seen it working.

-Kanishka

Jon Marshall · ‎03-21-2007

Hi

I thought that Pix did support port restrictions and i'm sure i've used it in production before ie. your crypto access-list could say

access-list vpntraffic permit tcp 192.168.10.0 255.255.255.0 host 172.16.5.1 eq http

however the TAC guy seems to be saying it doesn't.

I don't know how to do it on a Checkpoint but you can use "permit ip" in your crpyto acl and then have an acl applied to the outside interface that is more specific eg.

access-list vpntraffic permit ip 192.168.10.0 255.255.255.0 host 172.16.5.1

access-list outside_in permit tcp 192.168.10.0 255.255.255.0 host 172.16.5.1 eq http

if a host on the 192.168.10.x subnet were to send a cleartext packet to host 172.16.5.1 then the pix would deny it because it knows that these packets have to be encrypted due to your crypto map entry.

For this to work you would need to make sure you have disabled the "sysopt connection permit-ipsec" command otherwise the acl applied on the outside interface is bypassed.

HTH

Jon

stuartngilson · ‎03-21-2007

I have this currently working to one of our existing connections this is restricted to FTP. I know the basic rule is that the ACL has to match exactly at both ends for the IPsec tunnel to be complete its setup. Hence when i opened up the acl to full IP this connection worked. Below is a copy of the working connection:-

access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX host 81.XXX.XXX.XX eq ftp

access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX eq ftp host 81.XXX.XXX.XX

access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX host 81.XXX.XXX.XX eq ftp-data

access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX eq ftp-data host 81.XXX.XXX.XX

crypto map VOCADP interface outside

crypto map VOCADP 20 ipsec-isakmp

crypto map VOCADP 20 match address outside-cryptomap20

crypto map VOCADP 20 set peer 81.XXX.XXX.XX

crypto map VOCADP 20 set transform-set VOCA