Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Crypto ACL

Hi @all,

i've a l2l vpn between 2 pixes [7.2(2)]. Now i'm trying to limit the vpn traffic to telnet (biderectional). I've tried it with the acl:

pix1:

access-list 111 line 1 extended permit tcp host 192.168.178.11 range 1024 65535 host 10.5.1.2 eq telnet

pix2:

access-list 111 line 1 extended permit tcp host 10.5.1.2 range 1024 65535 host 192.168.178.11 eq telnet

When i'm try to connect via telnet form 192.168.178.11 - pix1 - pix2 - 10.5.1.2 the following error occurs on pix2:

Received remote Proxy Host data in ID Payload: Address 192.168.178.11, Protocol 6, Port 27338

Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing ID payload

Dec 13 18:23:01 [IKEv1 DECODE]: Group = 10.2.1.1, IP = 10.2.1.1, ID_IPV4_ADDR ID received

10.5.1.2

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Received local Proxy Host data in ID Payload: Address 10.5.1.2, Protocol 6, Port 23

Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing notify payload

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, QM IsRekeyed old sa not found by addr

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, checking map = TELNET, seq = 1...

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, map = TELNET, seq = 1, ACL does not match proxy IDs src:192.168.178.11 dst:10.5.1.2

Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.178.11/255.255.255.255/6/27338 local proxy 10.5.1.2/255.255.255.255/6/23 on interface outside

Isn't it possible to restrict the "VPN-Traffic"?

If i change the acl's to:

access-list 111 line 1 extended permit ip host 192.168.178.11 host 10.5.1.2

and

access-list 111 line 1 extended permit ip host 10.5.1.2 host 192.168.178.11

than the vpn tunnel works without any problems, but, sure, not only allowing telnet traffic to be encrypted.

What didn't i consider?

TIA

Tom

2 REPLIES
Green

Re: Crypto ACL

You do not want to specify port in your crypto acl's. You have a few options. One is to remove "sysopt connection permit-vpn". This means you would have to write all of your vpn access in your interface acl's.

no sysopt connection permit-vpn

access-list 111 extended permit ip host 192.168.178.11 host 10.5.1.2

access-list outside_access_in permit tcp host 192.168.178.11 host 10.5.1.2 eq telnet

access-group outside_access_in in interface outside

Two is to create a vpn-filter and assign it to the group policy for the tunnel group. See this document...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Hope that helps.

New Member

Re: Crypto ACL

hi,

ok, that helps. as i'm used to work with checkpoint i thought it would be able to handle it in the corresponding crypto acl.

so many thanks for your help.

br

tom

236
Views
9
Helpful
2
Replies
CreatePlease to create content