Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Crypto ACL

Hi,

Any body knows if it´s possible to configure service in crypto ACL?

Something like that:

access-list crypto permit tcp host 1.1.1.1 1.1.1.1 eq 23

How will be the crypto ACL at the other side?

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Crypto ACL

please excuse me for misunderstanding what sort of device you've got.

with pix v6.x, you can disable the command "sysopt connection permit-ipsec". when this command is enabled (on by default), pix will ignore any acl with encrypted traffic.

so disable this command, create an inbound acl, apply the acl to the outside interface, and leave the no-nat and crypto acl as it is.

e.g.

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 111 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 23

nat (inside) 0 access-list 101

access-group 111 in interface outside

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 120

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set myset

5 REPLIES
Cisco Employee

Re: Crypto ACL

No, you specifically can't specify ports in a crypto ACL, only host(s) to host(s) ACL's are supported.

Gold

Re: Crypto ACL

if the aim is to restrict access between two vpn peers, you can configure normal inbound acl.

e.g.

crypto map mymap 10 ipsec-isakmp

set peer xxx

set transform-set myset

match address 121

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map nonat permit 10

match ip address 101

then you can restrict access by applying inbound acl e.g.

access-list 111 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 25

ip access-group 111 in

New Member

Re: Crypto ACL

Thanks for you reply.

But, How can I do this in a PIX Firewall before the version 7.

I know that the router decrypt the packet and apply inbound ACL before access my network.

How is the Pix due with this?

Thanks in advance,

Jorge

Gold

Re: Crypto ACL

please excuse me for misunderstanding what sort of device you've got.

with pix v6.x, you can disable the command "sysopt connection permit-ipsec". when this command is enabled (on by default), pix will ignore any acl with encrypted traffic.

so disable this command, create an inbound acl, apply the acl to the outside interface, and leave the no-nat and crypto acl as it is.

e.g.

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 111 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 23

nat (inside) 0 access-list 101

access-group 111 in interface outside

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 120

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set myset

New Member

Re: Crypto ACL

The bad boy is "sysopt connection permit-ipsec"

;)

Thanks for you help.

Jorge Pingitore

348
Views
0
Helpful
5
Replies
CreatePlease to create content