Port based restrcition in VPN

Unanswered Question
Jan 3rd, 2009
User Badges:

Hi


We are having a PIX 6.3(3) firewall on which lot of Site to Site VPNs are configured.The below is a crypto ACL which needs to be restricted on a port basis ; however when we configure it for a port basis it doesnot works and we have to continue the IP based access.I have read that port based restriction is possible for the S2S tunnels with the ACE feature of the PIX 7.0 and above ,please let us know if i can go and configure the same . Also is there any possibility of restricting the S2S Crypto ACL on a port basis on versio 6.3(3).


access-list S2SVPN permit ip host 10.25.X.X 192.168.3.2 255.255.255.255

access-list S2SVPN permit ip host 10.25.X.X 192.168.1.10 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
acomiskey Mon, 01/05/2009 - 12:43
User Badges:
  • Green, 3000 points or more

Leave the crypto acl as ip. Create a traditional interface access list to filter the traffic. Then to allow the interface acl to actually work, you need to disable sysopt connection permit-ipsec. This will stop all your ipsec traffic from bypassing your interface acls.

ankurs2008 Tue, 01/06/2009 - 00:50
User Badges:

Hi


Thanks a lot .Please tell me if there is any specific reason to let the Crypto ACLs IP based only . Also the option you have told fits in 6.3(3) and 6.3(5) however if we plan to upgrade the PIX to 7.0 , can we put port based restriction according to group-policy / tunnel group feature ?If yes , do we need to disable " sysopt connection permit-ipsec" for 7.0 also (while configuring ACE)?

acomiskey Tue, 01/06/2009 - 05:56
User Badges:
  • Green, 3000 points or more

Yes you can do it in 7, or you can use the vpn-filter feature. If you use vpn-filter, you leave the sysopt enabled.

ankurs2008 Tue, 01/06/2009 - 07:11
User Badges:

Hi


Thanks a lot for resolving my query ; however i still have one question which iam trying hard to figure out is if there is any specific reason to let the Crypto ACLs IP based only .

sachinraja Tue, 01/06/2009 - 13:38
User Badges:
  • Red, 2250 points or more

Hello Ankur


Really nice question :)


We generally tend to leave the ACL's to IP based, to reduce complexity ! It just reduces the processing power of the router to a great extent.. It is simple, u know.. and the issue is, the crypto ACL's have to match between the source and destination.. on a remote branch it might be logical to have a port based ACL, but think of a DC, where many tunnels are terminating.. it would be a big nightmare for the administrator to have port based crypto ACL's in that case.. it can also cause relatively high CPU usage if IP based ACL's are not used !! Hence I would recommend you to stick on with IP based ACL's and restrict access on the internal interface using standard ACL's, as the other poster suggested..


Hope this helps.. all the best..


Raj

ankurs2008 Wed, 01/07/2009 - 03:54
User Badges:

hi raj


this is not the answer i am looking for as the question of feasibility to put in a large DC arises when at least port based Crypto ACL works ,the issue is that it doesnot works at all The IP based crypto ACL works with "sysopt connection permit-ipsec" command , however it doesnot works if TCP / UDP is specified in place of IP access in Crypto ACLS

sachinraja Wed, 01/07/2009 - 12:29
User Badges:
  • Red, 2250 points or more

Ankur


I think your question was "is there any specific reason to let the Crypto ACLs IP based only " for which I had given a reply.. If your question was something different, I would have answered appropriately.. :)


In any case, theoritically it should work.. what TCP ports are you trying to put on the crypto ACL ? with the normal TCP ports of the application, you must also allow protocols like icmp etc, to make sure you keep the tunnel alive... The IPSEC tunnel is basically built, when any traffic is destined to a particular destination, with a particular port, defined in the crypto ACL !


Can you explain me your requirement ? what kind of application ? Do you have the configs that you had tested for port based ACL ?


Regards

Raj




ankurs2008 Thu, 01/08/2009 - 23:55
User Badges:

Hi


Following are the 2 ACLs.IP based Crypto ACL works while port based Crypto ACL doesnot


IP based Crypto ACL


access-list S2SVPN permit ip host 10.25.1.3 host 192.168.3.2

access-list S2SVPN permit ip host 10.25.1.4 host 192.168.1.10


Port based Crypto ACL


access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22


Regards

Ankur

ankurs2008 Tue, 01/13/2009 - 08:51
User Badges:

hi


i have sent the config , please respond to this

pim.sijnja Thu, 01/22/2009 - 07:47
User Badges:

Hi,


The only thing I can think of is that the ACL's do not match on both sides of the VPN. If one side uses port based ACL and the other uses IP based, the proxy-id's will not match and the VPN will not work.

ankurs2008 Fri, 01/23/2009 - 12:13
User Badges:

i ensure that Both the sides are using mirror images whether it is IP based crypto ACL or port based crypto ACL .The only thing is latter doesnot works .

acomiskey Fri, 01/23/2009 - 12:30
User Badges:
  • Green, 3000 points or more

Ok, so if you used the port based acl


access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22


your mirror on the other end would have to be...


access-list S2SVPN permit tcp host 192.168.3.2 eq 22 host 10.25.1.3

access-list S2SVPN permit tcp host 192.168.1.10 eq 22 host 10.25.1.4


Is this what you're trying to do?

Actions

This Discussion