My Customer has an IPSec Extranet connection between their Pix and a Checkpoint firewall.
Everything is working fine but the current VPN interesting traffic is simply identified by source and destination addresses:
access-list nonat permit ip 192.168.128.0 255.255.255.0 host 192.168.2.68
access-list nonat permit ip 192.168.128.0 255.255.255.0 host 192.168.2.81
crypto map rtpmap 10 match address nonat
sysopt connection permit-ipsec
Now my Customer has asked me to tightly control the traffic by limiting access from the Extrenet to only some protocols/ports.
Well, I'm wondering about the best way to do this.
Changing the access-list nonat seems to be the *easiest* way but not the way recommended by the Cisco SAFE VPN blueprint:
"Normally the networks, hosts, and ports that are allowed to traverse the tunnels are defined in the Security Policy Database (SPD), as defined by the IPSec standard. This database is populated by the use of access control lists (ACLs). These ACLs are sometimes referred to as "crypto ACLs" or "network rules." You might consider using the cryptographic ACLs for rudimentary network security access control, but Cisco does not recommend this scenario because it complicates the configuration significantly. Rather, you should use inbound ACLs on the VPN devices for site-to-site traffic. "
Can someone give me some clarifications about this statement?
How can I possibly filter *decripted* traffic once it has been let in by the "sysopt connection permit-ipsec" when it was still encrypted?
Thank you very much.