Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Site to Site VPN help

whether its possible to initate Phase 1 tunnel with selected  TCP service port number instead of allowing all TCP service port with peer IP address .

For Example : isakmp enable outside
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
iaskmp policy 10 authentication pre-share or rsa-sig
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp key abc123 address netmask

crypto ipsec transform-set customer1 esp-des esp-sha-hmac

              Eg :   whether it is possible to initate a tunnel with peer IP address for port no 10000 , 4500 , 500 , alone  once the tunnel has been established inside the tunnel i can allow IP based traffic between 2 LAN segment .

                  If am wrong over here please correct me . But i need a form a tunnel with selected ports on source IP as well peer IP address .


Re: Site to Site VPN help

For health reasons Cisco recommends to use IP for traffic selection when configuring an IPSEC tunnel, however there are alternatives when trying to restrict the traffic that goes through it, these will vary depending on the platform used; for instance on PIX/ASA 7.X and latest you can use VPN filters as shown on the following link:

For routers you have the option of using ip access-group within the crypto map that will allow you to restrict ports in and out of this crypto map statement:



CreatePlease to create content