csico 2600 <-> checkpoint ipsec vpn tunnel ACL port based

Unanswered Question
May 1st, 2007

Dear All,

in this post i have two questions related to my vpn config.

* ipsec VPN1 to third party with pki/rsa

** Tunnel over Loopback and use of NAT

* ipsec VPN2 to third party with sharedkey

** No tunnel direct routing / no nat

my questions are based on the config below:

* for VPN2 is the direct ipsec routing properly configured? i do see it working but in most example configs i see the nonat section also applied. for me it also works without. do i need it?

* for VPN2 i have this acl sextion:

ip access-list extended vpn2add1

permit ip internalsource mask destination mask

this works. but when i try to do this

ip access-list extended vpn2add1

permit TCP internalsource mask destination mask eq www

then i dont get a vpn tunnel build up...!

thus trying to enable only one protocol (www) over the vpn tunnel. but when i do this, then the tunnel is not made. it only works when i do a permit IP, any attempt of filtering results in no vpn tunnel.

is this normal?, is there a way arround it? i tried searching many forums but dont really saw anyone with this problem.

and also use only permit IP.

this vpn tunnel is with a third party and i would like to block traffic from them and or only enable traffic from us over a certain port.

any help on this is greatly appriciated. i have been pulling my hairs out for a couple of days now.


cisco config:


crypto isakmp policy 1

authentication rsa-encr

lifetime 900


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key (***REMOVED***) address (***REMOVED***)

crypto isakmp key (***REMOVED***) address (***REMOVED***)

crypto isakmp keepalive 30



crypto ipsec transform-set vpn1set1 esp-3des esp-sha-hmac

crypto ipsec transform-set vpn2set esp-3des esp-sha-hmac


crypto map cryptomap1 local-address FastEthernet0/0

crypto map cryptomap11 ipsec-isakmp

set peer (***REMOVED***)

set security-association lifetime seconds 900

set transform-set vpn1set1

match address cryptomap1

crypto map cryptomap110 ipsec-isakmp

set peer (***REMOVED***)

set transform-set vpn2set

set pfs group2

match address vpn2add1

crypto map cryptomap111 ipsec-isakmp

set peer (***REMOVED***)

set transform-set vpn2set

set pfs group2

match address vpn2add2


interface Loopback1

ip address (***TUNNELLOCALADDRESS***)


interface FastEthernet0/0

ip address (***OUTSIDEIP***)

no ip redirects

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map cryptomap1


interface FastEthernet0/1

ip address(***LOCALROUTERIP***)

ip nat inside

duplex auto

speed auto

no keepalive



ip classless

ip route (***DEFAULTGW***)

ip route x.0.0.0 (***INSIDESUBNETGATEWAY***)


no ip http server

no ip http secure-server


ip access-list extended cryptomap1


ip access-list extended vpn2add1

permit ip (***INSIDENET1***) (***remoteVPN2destinationet1)

permit ip (***INSIDENET2***) (***remoteVPN2destinationet1)

permit ip host (***HOSTINSIDENET1***) (***remoteVPN2destinationet1)

permit ip host (***HOSTINSIDENET2***) (***remoteVPN2destinationet1)

ip access-list extended vpn2add2

permit ip (***INSIDENET1***) (***remoteVPN2destinationet2)

permit ip (***INSIDENET2***) (***remoteVPN2destinationet2)

permit ip host (***HOSTINSIDENET1***) (***remoteVPN2destinationet2)

permit ip host (***HOSTINSIDENET2***) (***remoteVPN2destinationet2)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
soulshepard.wazzaap Wed, 05/02/2007 - 01:48

I found my solution yesterday afterall in a previous post.

Forum Topics > Conversations > outline >

VPN Service Architectures: alternative to permit-ipsec, not using PIX


these document reffere to IOS 12.4.x this version supports these commands on a crypto map. in the past i think you needed to open the ports on the outside interface. on 12.4.x this is not needed anymore.

crypto map (name) 1 ipsec-isakmp

set ip access-group (address1-in) in

set ip access-group (address1-out) out

normaly you would have:

ip access-list extended (address1)

permit local.mask remote/mask

and now you can add filtering before the ipsec tunnel with the above named access-group commands on the cryptomap for your vpn

ip accesslist extended (address1-in)

permit tcp remote/mask eq www local/mask

permit icmp remote/mask local/mask echo-reply

deny ip any any

ip accesslist extended (address1-out)

permit tcp local/mask remote/mask eq www

permit icmp local/mask remote/mask echo

deny ip any any


This Discussion