12-13-2007 10:26 AM - edited 03-12-2019 05:50 PM
Hi @all,
i've a l2l vpn between 2 pixes [7.2(2)]. Now i'm trying to limit the vpn traffic to telnet (biderectional). I've tried it with the acl:
pix1:
access-list 111 line 1 extended permit tcp host 192.168.178.11 range 1024 65535 host 10.5.1.2 eq telnet
pix2:
access-list 111 line 1 extended permit tcp host 10.5.1.2 range 1024 65535 host 192.168.178.11 eq telnet
When i'm try to connect via telnet form 192.168.178.11 - pix1 - pix2 - 10.5.1.2 the following error occurs on pix2:
Received remote Proxy Host data in ID Payload: Address 192.168.178.11, Protocol 6, Port 27338
Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing ID payload
Dec 13 18:23:01 [IKEv1 DECODE]: Group = 10.2.1.1, IP = 10.2.1.1, ID_IPV4_ADDR ID received
10.5.1.2
Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Received local Proxy Host data in ID Payload: Address 10.5.1.2, Protocol 6, Port 23
Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing notify payload
Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, QM IsRekeyed old sa not found by addr
Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, checking map = TELNET, seq = 1...
Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, map = TELNET, seq = 1, ACL does not match proxy IDs src:192.168.178.11 dst:10.5.1.2
Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.178.11/255.255.255.255/6/27338 local proxy 10.5.1.2/255.255.255.255/6/23 on interface outside
Isn't it possible to restrict the "VPN-Traffic"?
If i change the acl's to:
access-list 111 line 1 extended permit ip host 192.168.178.11 host 10.5.1.2
and
access-list 111 line 1 extended permit ip host 10.5.1.2 host 192.168.178.11
than the vpn tunnel works without any problems, but, sure, not only allowing telnet traffic to be encrypted.
What didn't i consider?
TIA
Tom
12-13-2007 10:42 AM
You do not want to specify port in your crypto acl's. You have a few options. One is to remove "sysopt connection permit-vpn". This means you would have to write all of your vpn access in your interface acl's.
no sysopt connection permit-vpn
access-list 111 extended permit ip host 192.168.178.11 host 10.5.1.2
access-list outside_access_in permit tcp host 192.168.178.11 host 10.5.1.2 eq telnet
access-group outside_access_in in interface outside
Two is to create a vpn-filter and assign it to the group policy for the tunnel group. See this document...
Hope that helps.
12-14-2007 01:24 AM
hi,
ok, that helps. as i'm used to work with checkpoint i thought it would be able to handle it in the corresponding crypto acl.
so many thanks for your help.
br
tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: