Restrict IPsec traffic over a VPN

Answered Question
Sep 21st, 2006
User Badges:

I have a lan-to-lan IPsec VPN working (PIX501)but i would like to restrict the access from LAN A to LAN B. I tried to use "no sysopt connection permit-ipsec" command with some changes in the ACCESS-LIST bound to the outside interface. I did not work. Ane help would be welcome (doc, previous experience, etc).

Correct Answer by puagarwa about 10 years 10 months ago

i think the line 3 in the acl 101 should be:

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
puagarwa Sun, 09/24/2006 - 05:13
User Badges:

what you were tring to do is totally correct...the other way is that if you want to restrict traffic at the ip layer and not layer 4 then you can restrict in the nat 0 access-list.


otherwise removing the sysopt and then restricting the access in the access-list bound to the outside interface is the right way....unfortunaltely cisco does not have any document for specifically doing this.

dadoamaral Tue, 09/26/2006 - 13:04
User Badges:

I have 3 access-lists as show below.

I?m adding the new command (line 3) to the 101 one.

Is that right or I should use one of the VPN access-lists?


Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 3 elements

access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=21870)

access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2300)

access-list 101 line 3 permit tcp FAA 255.255.255.0 any eq citrix-ica (hitcnt=0)

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1339)

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=2891)


Correct Answer
puagarwa Tue, 09/26/2006 - 16:08
User Badges:

i think the line 3 in the acl 101 should be:

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica

dadoamaral Wed, 09/27/2006 - 09:09
User Badges:

It did not work.

I even tried to remove the "eq citrix-ica" to test but the thin client could not connect to Citrix server and the line did not count any hit.

Something else is missing.

Thanks anyway

dadoamaral Wed, 09/27/2006 - 11:01
User Badges:

IT WORK NOW!

I added more 1 line with the UDP/port 1604 to the ACL (see below) and it worked.

Thanks once more.


Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 4 elements

access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=22074)

access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2329)

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica (hitcnt=1)

access-list 101 line 4 permit udp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq 1604 (hitcnt=1)

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1360)

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=3147)


Actions

This Discussion