03-20-2007 02:36 AM
I can establish a VPN L2L between my PIX 515 and checkpoint NG, when i have the cryptomaps set to IP. When i restrict the cryptomaps to ftp. The connection fails. On debug as part of phase 2 i cannot see any port set in the packet being received. The techy working on the NG does not know of a way of setting which ports are specified as part of the phase 2 setup. Does anybody know how to specify this?
03-20-2007 07:17 AM
PIX doesn't support Port based crypto Access-list. It has to be ip based on both the devices.
-Kanishka
03-21-2007 01:21 AM
Sorry i do not think i explained this correctly. It is the ACL's applied to the IPsec tunnel that i have configured to only allow ftp. But the packet i receive from the Checkpoint does not have any port specified as part of the ACL.
03-21-2007 02:21 AM
ACL's applied to IPSec tunnel...What does that mean ? ARe we talking abt the ACLs in crypto Map ?
If yes, this is what you call a crypto ACL. PIX doesn't support port based crypto ACL, you can not restrict it to ports.
If we are talking about an interface based ACL, then it has nothing to do with Phase 2 not coming up, if you have "sysopt connection permit-ipsec" applied.
-Kanishka
03-21-2007 06:34 AM
Hi Jon,
You can define port bassed ACL in crypto Map, but it rarely works, and its not recommended.
The other way to restrict the traffic is, as you mentioned , by disabling "sysopt connection permit-ipsec" and restricting on the outside ACL.
If its a PIX with 7.X code, you can have "group-filter" configured doing the same job, this way you do not have to disable sysopt..
Port based ACL in crypto map, I've never seen it working.
-Kanishka
03-21-2007 06:27 AM
Hi
I thought that Pix did support port restrictions and i'm sure i've used it in production before ie. your crypto access-list could say
access-list vpntraffic permit tcp 192.168.10.0 255.255.255.0 host 172.16.5.1 eq http
however the TAC guy seems to be saying it doesn't.
I don't know how to do it on a Checkpoint but you can use "permit ip" in your crpyto acl and then have an acl applied to the outside interface that is more specific eg.
access-list vpntraffic permit ip 192.168.10.0 255.255.255.0 host 172.16.5.1
access-list outside_in permit tcp 192.168.10.0 255.255.255.0 host 172.16.5.1 eq http
if a host on the 192.168.10.x subnet were to send a cleartext packet to host 172.16.5.1 then the pix would deny it because it knows that these packets have to be encrypted due to your crypto map entry.
For this to work you would need to make sure you have disabled the "sysopt connection permit-ipsec" command otherwise the acl applied on the outside interface is bypassed.
HTH
Jon
03-21-2007 08:11 AM
I have this currently working to one of our existing connections this is restricted to FTP. I know the basic rule is that the ACL has to match exactly at both ends for the IPsec tunnel to be complete its setup. Hence when i opened up the acl to full IP this connection worked. Below is a copy of the working connection:-
access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX host 81.XXX.XXX.XX eq ftp
access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX eq ftp host 81.XXX.XXX.XX
access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX host 81.XXX.XXX.XX eq ftp-data
access-list outside-cryptomap20 permit tcp host 194.XX.XXX.XXX eq ftp-data host 81.XXX.XXX.XX
crypto map VOCADP interface outside
crypto map VOCADP 20 ipsec-isakmp
crypto map VOCADP 20 match address outside-cryptomap20
crypto map VOCADP 20 set peer 81.XXX.XXX.XX
crypto map VOCADP 20 set transform-set VOCA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide