02-22-2010 01:00 PM - edited 02-21-2020 04:30 PM
Hi,
Hope someone can help. I have a PIX setup for several fixed L2L IPSEC VPNs and also allowed Cisco VPN clients to VPN in. I have found that if traffic on one of the fixed VPNs doesnt match its access list it fires up a connection using the dynamic map rather than just dropping the traffic.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set set2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address a1
crypto map mymap 20 set peer x.x.x.1
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap 30 set security-association lifetime seconds 28800
crypto map mymap 30 set security-association lifetime kilobytes 4608000
crypto map mymap 40 match address a2
crypto map mymap 40 set peer x.x.x.2
crypto map mymap 40 set transform-set set2
crypto map mymap 40 set security-association lifetime seconds 28800
crypto map mymap 40 set security-association lifetime kilobytes 4608000
crypto map mymap 40 set nat-t-disable
crypto map mymap 60000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
access-list a2 extended permit tcp host 10.0.3.99 192.168.6.0 255.255.254.0
access-list a2 extended permit tcp host 10.0.3.100 192.168.6.0 255.255.254.0
any idea as to why that would happen?
thanks.
02-25-2010 08:39 AM
Hi,
When a VPN request connection comes to the PIX, the PIX will attempt to match it against the policies in sequential order.
If it does not find a match on the specific crypto map for the peer, it will continue and find a match on the dynamic crypto map for the VPN clients, since it will accept any policies with any interesting traffic (unless restricted).
To fix this, the best is to ensure that all the fixed L2L tunnels terminated on the PIX have the ACLs for interesting traffic defined exactly the samee way on both ends of the tunnel.
Federico.
02-25-2010 09:44 AM
Thats ok at the moment as I have control over both ends but what if I didnt? Is it possible to put a match ACL on a dynamic map? The IPs assigned to the client VPNs are a range from the PIX I have defined. i.e. 10.0.50.0/24
thanks
02-25-2010 09:46 AM
That is correct.
If you do not have control over the other end, you can apply an ACL to the dynamic crypto map.
In this case, since you have control on both sides, there's no need for that.
Federico.
02-25-2010 09:52 AM
How would I go about constructing an ACL for the dynamic, would it be
access-list dynamic allow ip 0.0.0.0 0.0.0.0 10.0.50.0 255.255.255.0 ?
or something?
02-25-2010 09:56 AM
Under the dynamic crypto map, you have the option to specify an ACL as with the static crypto maps:
For example:
You create the ACL named acl-name and apply it to the dynamic crypto map:
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route
crypto dynamic-map dynmap 10 match address acl-name
Federico.
02-25-2010 09:59 AM
Hi,
yup understand that bit but when you look at the proxy IDs for the remote clients its usually local ident 0.0.0.0 remote ident 10.0.50.x
thanks
02-25-2010 10:05 AM
Yes,
The remote VPN clients will have a local ident 0.0.0.0 because you can't know before hand where all the VPN clients are going to come from.
So, there's no point in restricting the IP addresses from where the remote VPN client connections can be established (unless you want to do it like this).
For ths L2L VPNs, need to make sure the interesting traffic is a mirror from the other end, in this way only the traffic specified would make it through the tunnel.
You can differentiate the internal access that has each L2L and remote VPN client connection.
So, if somebody is coming from a L2L peer VPN, it would only have access to the resources specified in the ACL for that VPN.
If somebody comes from that IP, but using the VPN client software, then will match against the dynamic crypto map.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide