Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
3
Replies

IPSec port filtering

zchagpar
Level 1
Level 1

‎02-16-2001 12:24 PM - edited ‎02-21-2020 11:17 AM

I want to limit what service are allowed in a IPSec tunnel. When I specify the individual ports I get a message saying this will have a performance impact. This is a one interface VPN solution so adding an incoming access-list on the interface is a possible issue.

I want to allow ftp, rsh, rsync through the tunnel and I still want ssh to be forwarded but not through the tunnel.

Any suggestions.

Labels:
0 Helpful
3 Replies 3

ssoberlik
Level 4
Level 4

‎02-22-2001 07:16 AM

If adding the acl would have a major performance impact on your network (depending on what model router you have and the amount of traffic) then you will need to look at getting a bigger router or off-loading the encryption to an encryption module (depending on what router you are using). There are also other options, firewalls, access-servers, etc.

Hope this helps

0 Helpful

jomccloud
Level 1
Level 1

‎02-28-2001 06:52 PM

Guessing by the fact you received the "performance impact" message, you are using a PIX device. This is a standard message the PIX issues whenever you enable port selectors for the ACL. It doesn't necessarily mean you WILL have a performance, only that you might. Only performance monitoring can determine this.

Otherwise, you can limit the services allowed in the tunnel by tweaking the crypto ACL. The crypto ACL will determine what IP traffic constitutes a match for IPSec. If you specify only ftp, rsh, and rsync ports as constituting a match for encryption, then only those packets will be encrypted and/or tunneled.

0 Helpful

j-nazario
Level 1
Level 1

‎03-20-2001 11:20 AM

first up to get traffic passed selectively, based on the application and regardless of the destination, through the VPN or not you'll need to set up policy routing. i *haven't* done this yet, but it can be done. in a nutshell, all traffic not port 22 goes over the VPN. then have it route through your IPsec encapsulating interfaces.

filtering inbound traffic on a per port basis will be tougher. IPsec uses IP protocols 50 and 51 (for esp and ah traffic), which are portless, unlike TCP and UDP. as such, once they get to the other endpoint of the VPN they'll have to be decrypted and reassembled and *then* firewalled/filtered on the basis of the port (ie rlogin's port). but only once its been taken out of the IPSec encapsulation.

good luck. no, i don't know how to do this on IOS, so .. i can't help there.

jose nazario jose@cwru.edu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents