Hi @all,

i've a l2l vpn between 2 pixes [7.2(2)]. Now i'm trying to limit the vpn traffic to telnet (biderectional). I've tried it with the acl:

pix1:

access-list 111 line 1 extended permit tcp host 192.168.178.11 range 1024 65535 host 10.5.1.2 eq telnet

pix2:

access-list 111 line 1 extended permit tcp host 10.5.1.2 range 1024 65535 host 192.168.178.11 eq telnet

When i'm try to connect via telnet form 192.168.178.11 - pix1 - pix2 - 10.5.1.2 the following error occurs on pix2:

Received remote Proxy Host data in ID Payload: Address 192.168.178.11, Protocol 6, Port 27338

Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing ID payload

Dec 13 18:23:01 [IKEv1 DECODE]: Group = 10.2.1.1, IP = 10.2.1.1, ID_IPV4_ADDR ID received

10.5.1.2

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Received local Proxy Host data in ID Payload: Address 10.5.1.2, Protocol 6, Port 23

Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing notify payload

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, QM IsRekeyed old sa not found by addr

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, checking map = TELNET, seq = 1...

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, map = TELNET, seq = 1, ACL does not match proxy IDs src:192.168.178.11 dst:10.5.1.2

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.178.11/255.255.255.255/6/27338 local proxy 10.5.1.2/255.255.255.255/6/23 on interface outside

Isn't it possible to restrict the "VPN-Traffic"?

If i change the acl's to:

access-list 111 line 1 extended permit ip host 192.168.178.11 host 10.5.1.2

and

access-list 111 line 1 extended permit ip host 10.5.1.2 host 192.168.178.11

than the vpn tunnel works without any problems, but, sure, not only allowing telnet traffic to be encrypted.

What didn't i consider?

TIA

Tom