Site to Site VPN help

SANTHOSHKUMAR SARAVANAN · ‎01-29-2010

whether its possible to initate Phase 1 tunnel with selected TCP service port number instead of allowing all TCP service port with peer IP address .

For Example : isakmp enable outside
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
iaskmp policy 10 authentication pre-share or rsa-sig
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp key abc123 address 192.168.1.2 netmask 255.255.255.255

crypto ipsec transform-set customer1 esp-des esp-sha-hmac

Eg : whether it is possible to initate a tunnel with peer IP address for port no 10000 , 4500 , 500 , alone once the tunnel has been established inside the tunnel i can allow IP based traffic between 2 LAN segment .

If am wrong over here please correct me . But i need a form a tunnel with selected ports on source IP as well peer IP address .

Ivan Martinon · ‎02-03-2010

For health reasons Cisco recommends to use IP for traffic selection when configuring an IPSEC tunnel, however there are alternatives when trying to restrict the traffic that goes through it, these will vary depending on the platform used; for instance on PIX/ASA 7.X and latest you can use VPN filters as shown on the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

For routers you have the option of using ip access-group within the crypto map that will allow you to restrict ports in and out of this crypto map statement:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1046685

hth

Ivan