I want to limit what service are allowed in a IPSec tunnel. When I specify the individual ports I get a message saying this will have a performance impact. This is a one interface VPN solution so adding an incoming access-list on the interface is a possible issue.
I want to allow ftp, rsh, rsync through the tunnel and I still want ssh to be forwarded but not through the tunnel.
If adding the acl would have a major performance impact on your network (depending on what model router you have and the amount of traffic) then you will need to look at getting a bigger router or off-loading the encryption to an encryption module (depending on what router you are using). There are also other options, firewalls, access-servers, etc.
Guessing by the fact you received the "performance impact" message, you are using a PIX device. This is a standard message the PIX issues whenever you enable port selectors for the ACL. It doesn't necessarily mean you WILL have a performance, only that you might. Only performance monitoring can determine this.
Otherwise, you can limit the services allowed in the tunnel by tweaking the crypto ACL. The crypto ACL will determine what IP traffic constitutes a match for IPSec. If you specify only ftp, rsh, and rsync ports as constituting a match for encryption, then only those packets will be encrypted and/or tunneled.
first up to get traffic passed selectively, based on the application and regardless of the destination, through the VPN or not you'll need to set up policy routing. i *haven't* done this yet, but it can be done. in a nutshell, all traffic not port 22 goes over the VPN. then have it route through your IPsec encapsulating interfaces.
filtering inbound traffic on a per port basis will be tougher. IPsec uses IP protocols 50 and 51 (for esp and ah traffic), which are portless, unlike TCP and UDP. as such, once they get to the other endpoint of the VPN they'll have to be decrypted and reassembled and *then* firewalled/filtered on the basis of the port (ie rlogin's port). but only once its been taken out of the IPSec encapsulation.
good luck. no, i don't know how to do this on IOS, so .. i can't help there.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :