Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
3
Replies

L2L between PIX and VPN 3030

kevin.m.newman
Level 1
Level 1

‎09-01-2006 12:01 PM

I'm having some trouble setting up my 3030 concentrator to establish a tunnel with a PIX. The remote side, which I do not control, has an ACL that only allows telnet traffic on the VPN tunnel. When this ACL is active, the tunnel does not work. Phase 1 completes but it bombs out on phase 2. We tested by changing the ACL to allow any ip traffic and everything worked fine.

What do I need to do on the concentrator side to match this ACL? I have tried creating rules and adding them to a filter and applying it to the L2L for that tunnel, but that did not work.

Appreciate any help!

Thanks.

Labels:
0 Helpful
3 Replies 3

grant.maynard
Level 4
Level 4

‎09-04-2006 11:40 AM

The VPN ACLs at each end must be mirrors of each other. Therefore if the PIX end "allow tcp from 10.1.x.x to 10.2.x.x, destination port 23", then the L2L setup on the VPN303 must say "allow tcp from 10.2.x.x to 10.1.x.x, source port 23".

Alternatively, make the VPN open for all traffic, but use a filter on the VPN3030 or ACL on PIX to filter the traffic. That way, if you decide to add to the VPN (e.g. allow smtp) then you only need to amend the ACL/filter and not the VPN config itself. This is what I would do.

0 Helpful

kevin.m.newman
Level 1
Level 1
In response to grant.maynard

‎09-05-2006 06:07 AM

I appreciate the reply. What is the correct way to mirror the ACL though?

I have tried creating a rule that applies to TCP for destination port 23 and apply that to a filter and apply that to the L2L config, but that did not work.

I would love to do it the other way you suggested, in fact that's how we do all of our other tunnels, but I do not have control of the PIX side and that is how they require it.

0 Helpful

mustafa_nbk
Level 1
Level 1
In response to kevin.m.newman

‎09-05-2006 08:55 PM

Hi,

First of all, you have to inform PIX side administrator to use full ip traffic as vpn interesting traffic. Also at your concentrator side, you configured lan to lan tunnel with the source and destination network.

Now in Policy Management->Traffic Management-> Rules-> Add

Rule 1 :-

Name- OutboundXX

Direction :- Outbound

Action :- Forword

Protocol :- TCP

Source Address :- PIX Net

Destination Add :- Concentrator Net

TCP/UDP Source Port :- range 0-65535

TCP/UDP Destination Port :- 23

Rule =2 :-

Name- InboundXX

Direction :- Inbound

Action :- Forword

Protocol :- TCP

Source Address :- Concentrator Net

Destination Add :- PIX Net

TCP/UDP Source Port :- 23

TCP/UDP Destination Port :- range 0-65535

---------------

Now Create File named FilterL2L, and add the priviously created two rules in this fileter.

---

Now in LAN-to-LAN configuration, Specify the filter which you created in filter drop-down feild.

I hope it will solve your problum

Thanks,

Mustafa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents