Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec port filtering

I want to limit what service are allowed in a IPSec tunnel. When I specify the individual ports I get a message saying this will have a performance impact. This is a one interface VPN solution so adding an incoming access-list on the interface is a possible issue.

I want to allow ftp, rsh, rsync through the tunnel and I still want ssh to be forwarded but not through the tunnel.

Any suggestions.


Re: IPSec port filtering

If adding the acl would have a major performance impact on your network (depending on what model router you have and the amount of traffic) then you will need to look at getting a bigger router or off-loading the encryption to an encryption module (depending on what router you are using). There are also other options, firewalls, access-servers, etc.

Hope this helps

New Member

Re: IPSec port filtering

Guessing by the fact you received the "performance impact" message, you are using a PIX device. This is a standard message the PIX issues whenever you enable port selectors for the ACL. It doesn't necessarily mean you WILL have a performance, only that you might. Only performance monitoring can determine this.

Otherwise, you can limit the services allowed in the tunnel by tweaking the crypto ACL. The crypto ACL will determine what IP traffic constitutes a match for IPSec. If you specify only ftp, rsh, and rsync ports as constituting a match for encryption, then only those packets will be encrypted and/or tunneled.

New Member

Re: IPSec port filtering

first up to get traffic passed selectively, based on the application and regardless of the destination, through the VPN or not you'll need to set up policy routing. i *haven't* done this yet, but it can be done. in a nutshell, all traffic not port 22 goes over the VPN. then have it route through your IPsec encapsulating interfaces.

filtering inbound traffic on a per port basis will be tougher. IPsec uses IP protocols 50 and 51 (for esp and ah traffic), which are portless, unlike TCP and UDP. as such, once they get to the other endpoint of the VPN they'll have to be decrypted and reassembled and *then* firewalled/filtered on the basis of the port (ie rlogin's port). but only once its been taken out of the IPSec encapsulation.

good luck. no, i don't know how to do this on IOS, so .. i can't help there.

jose nazario

CreatePlease to create content