01-03-2009 02:02 AM - edited 03-11-2019 07:31 AM
Hi
We are having a PIX 6.3(3) firewall on which lot of Site to Site VPNs are configured.The below is a crypto ACL which needs to be restricted on a port basis ; however when we configure it for a port basis it doesnot works and we have to continue the IP based access.I have read that port based restriction is possible for the S2S tunnels with the ACE feature of the PIX 7.0 and above ,please let us know if i can go and configure the same . Also is there any possibility of restricting the S2S Crypto ACL on a port basis on versio 6.3(3).
access-list S2SVPN permit ip host 10.25.X.X 192.168.3.2 255.255.255.255
access-list S2SVPN permit ip host 10.25.X.X 192.168.1.10 255.255.255.255
01-05-2009 12:23 PM
hi
please help me on this
01-05-2009 12:43 PM
Leave the crypto acl as ip. Create a traditional interface access list to filter the traffic. Then to allow the interface acl to actually work, you need to disable sysopt connection permit-ipsec. This will stop all your ipsec traffic from bypassing your interface acls.
01-06-2009 12:50 AM
Hi
Thanks a lot .Please tell me if there is any specific reason to let the Crypto ACLs IP based only . Also the option you have told fits in 6.3(3) and 6.3(5) however if we plan to upgrade the PIX to 7.0 , can we put port based restriction according to group-policy / tunnel group feature ?If yes , do we need to disable " sysopt connection permit-ipsec" for 7.0 also (while configuring ACE)?
01-06-2009 05:56 AM
Yes you can do it in 7, or you can use the vpn-filter feature. If you use vpn-filter, you leave the sysopt enabled.
01-06-2009 07:11 AM
Hi
Thanks a lot for resolving my query ; however i still have one question which iam trying hard to figure out is if there is any specific reason to let the Crypto ACLs IP based only .
01-06-2009 01:38 PM
Hello Ankur
Really nice question :)
We generally tend to leave the ACL's to IP based, to reduce complexity ! It just reduces the processing power of the router to a great extent.. It is simple, u know.. and the issue is, the crypto ACL's have to match between the source and destination.. on a remote branch it might be logical to have a port based ACL, but think of a DC, where many tunnels are terminating.. it would be a big nightmare for the administrator to have port based crypto ACL's in that case.. it can also cause relatively high CPU usage if IP based ACL's are not used !! Hence I would recommend you to stick on with IP based ACL's and restrict access on the internal interface using standard ACL's, as the other poster suggested..
Hope this helps.. all the best..
Raj
01-07-2009 03:54 AM
hi raj
this is not the answer i am looking for as the question of feasibility to put in a large DC arises when at least port based Crypto ACL works ,the issue is that it doesnot works at all The IP based crypto ACL works with "sysopt connection permit-ipsec" command , however it doesnot works if TCP / UDP is specified in place of IP access in Crypto ACLS
01-07-2009 12:29 PM
Ankur
I think your question was "is there any specific reason to let the Crypto ACLs IP based only " for which I had given a reply.. If your question was something different, I would have answered appropriately.. :)
In any case, theoritically it should work.. what TCP ports are you trying to put on the crypto ACL ? with the normal TCP ports of the application, you must also allow protocols like icmp etc, to make sure you keep the tunnel alive... The IPSEC tunnel is basically built, when any traffic is destined to a particular destination, with a particular port, defined in the crypto ACL !
Can you explain me your requirement ? what kind of application ? Do you have the configs that you had tested for port based ACL ?
Regards
Raj
01-08-2009 11:55 PM
Hi
Following are the 2 ACLs.IP based Crypto ACL works while port based Crypto ACL doesnot
IP based Crypto ACL
access-list S2SVPN permit ip host 10.25.1.3 host 192.168.3.2
access-list S2SVPN permit ip host 10.25.1.4 host 192.168.1.10
Port based Crypto ACL
access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22
access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22
Regards
Ankur
01-13-2009 08:51 AM
hi
i have sent the config , please respond to this
01-20-2009 11:48 PM
hi
can some body please throw some light on this
01-22-2009 07:47 AM
Hi,
The only thing I can think of is that the ACL's do not match on both sides of the VPN. If one side uses port based ACL and the other uses IP based, the proxy-id's will not match and the VPN will not work.
01-23-2009 12:13 PM
i ensure that Both the sides are using mirror images whether it is IP based crypto ACL or port based crypto ACL .The only thing is latter doesnot works .
01-23-2009 12:30 PM
Ok, so if you used the port based acl
access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22
access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22
your mirror on the other end would have to be...
access-list S2SVPN permit tcp host 192.168.3.2 eq 22 host 10.25.1.3
access-list S2SVPN permit tcp host 192.168.1.10 eq 22 host 10.25.1.4
Is this what you're trying to do?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: