cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
789
Views
8
Helpful
14
Replies

Port based restrcition in VPN

ankurs2008
Level 1
Level 1

Hi

We are having a PIX 6.3(3) firewall on which lot of Site to Site VPNs are configured.The below is a crypto ACL which needs to be restricted on a port basis ; however when we configure it for a port basis it doesnot works and we have to continue the IP based access.I have read that port based restriction is possible for the S2S tunnels with the ACE feature of the PIX 7.0 and above ,please let us know if i can go and configure the same . Also is there any possibility of restricting the S2S Crypto ACL on a port basis on versio 6.3(3).

access-list S2SVPN permit ip host 10.25.X.X 192.168.3.2 255.255.255.255

access-list S2SVPN permit ip host 10.25.X.X 192.168.1.10 255.255.255.255

14 Replies 14

ankurs2008
Level 1
Level 1

hi

please help me on this

Leave the crypto acl as ip. Create a traditional interface access list to filter the traffic. Then to allow the interface acl to actually work, you need to disable sysopt connection permit-ipsec. This will stop all your ipsec traffic from bypassing your interface acls.

Hi

Thanks a lot .Please tell me if there is any specific reason to let the Crypto ACLs IP based only . Also the option you have told fits in 6.3(3) and 6.3(5) however if we plan to upgrade the PIX to 7.0 , can we put port based restriction according to group-policy / tunnel group feature ?If yes , do we need to disable " sysopt connection permit-ipsec" for 7.0 also (while configuring ACE)?

Yes you can do it in 7, or you can use the vpn-filter feature. If you use vpn-filter, you leave the sysopt enabled.

Hi

Thanks a lot for resolving my query ; however i still have one question which iam trying hard to figure out is if there is any specific reason to let the Crypto ACLs IP based only .

Hello Ankur

Really nice question :)

We generally tend to leave the ACL's to IP based, to reduce complexity ! It just reduces the processing power of the router to a great extent.. It is simple, u know.. and the issue is, the crypto ACL's have to match between the source and destination.. on a remote branch it might be logical to have a port based ACL, but think of a DC, where many tunnels are terminating.. it would be a big nightmare for the administrator to have port based crypto ACL's in that case.. it can also cause relatively high CPU usage if IP based ACL's are not used !! Hence I would recommend you to stick on with IP based ACL's and restrict access on the internal interface using standard ACL's, as the other poster suggested..

Hope this helps.. all the best..

Raj

hi raj

this is not the answer i am looking for as the question of feasibility to put in a large DC arises when at least port based Crypto ACL works ,the issue is that it doesnot works at all The IP based crypto ACL works with "sysopt connection permit-ipsec" command , however it doesnot works if TCP / UDP is specified in place of IP access in Crypto ACLS

Ankur

I think your question was "is there any specific reason to let the Crypto ACLs IP based only " for which I had given a reply.. If your question was something different, I would have answered appropriately.. :)

In any case, theoritically it should work.. what TCP ports are you trying to put on the crypto ACL ? with the normal TCP ports of the application, you must also allow protocols like icmp etc, to make sure you keep the tunnel alive... The IPSEC tunnel is basically built, when any traffic is destined to a particular destination, with a particular port, defined in the crypto ACL !

Can you explain me your requirement ? what kind of application ? Do you have the configs that you had tested for port based ACL ?

Regards

Raj

Hi

Following are the 2 ACLs.IP based Crypto ACL works while port based Crypto ACL doesnot

IP based Crypto ACL

access-list S2SVPN permit ip host 10.25.1.3 host 192.168.3.2

access-list S2SVPN permit ip host 10.25.1.4 host 192.168.1.10

Port based Crypto ACL

access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22

Regards

Ankur

hi

i have sent the config , please respond to this

hi

can some body please throw some light on this

Hi,

The only thing I can think of is that the ACL's do not match on both sides of the VPN. If one side uses port based ACL and the other uses IP based, the proxy-id's will not match and the VPN will not work.

i ensure that Both the sides are using mirror images whether it is IP based crypto ACL or port based crypto ACL .The only thing is latter doesnot works .

Ok, so if you used the port based acl

access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22

your mirror on the other end would have to be...

access-list S2SVPN permit tcp host 192.168.3.2 eq 22 host 10.25.1.3

access-list S2SVPN permit tcp host 192.168.1.10 eq 22 host 10.25.1.4

Is this what you're trying to do?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: