Solved: Re: PIX Site-to Site VPN using ACL with specific port destinatio

terblac · ‎08-24-2006

Good day to all!!

I know that in order to have establish a site-to-site VPN using 2 PIX firewalls we have to specify interesting traffic on both sides. Usually, we do the statement below:

accesslist AllowedTraffic permit ip 192.168.2.1 192.168.3.1

But I have been thinking what if we specify specific ports on the

ACL that will be used for the VPN's interesting traffic such as HTTPS? Such as the one below:

acccess-list AllowedTraffic tcp 192.168.2.1 192.168.3.1 eq 443

Comments would be fine...

Thanks...

Chris

hemendoz · ‎08-25-2006

Here are my configs when I tested this. Hope this helps! If so, please rate.

Thanks

View solution in original post

a.kiprawih · ‎08-24-2006

Hi Chris,

Based on Cisco doc, the ACLs that you used for Site-to-Site (or LAN-to-LAN) are based on the source and destination IP addresses only, and it has to be symmetric where it should be mirroring each other on both sides of the connection.

This ACL does not give any option to specify TCP/UDP port like other extended ACL (source, destination & port).

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008054ed55.html#wp1042401

Rgds,

AK

hemendoz · ‎08-24-2006

Hello,

It does work. At the very least on 6.3(5), as I've personally tested this. However, I do recall getting a warning message about taking a performance hit. Hope that helps! If so, please rate.

Thanks

a.kiprawih · ‎08-25-2006

Hi Hector,

Great news, as I've been looking on this feature as well. At least, the improvement helps us to specify detail source of interesting traffic with specific port no.

Can you provide the link, as the following PIX 6.3(5) Release Notes doesn't mentioned it.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html

Rgds,

AK

terblac · ‎08-25-2006

If that would work...

I guess there would be times if there will be no interesting traffic to that specified between VPN peers there would be a tear down of the VPN connection. And would there would be a tunnel buildup again.

If so how is there a way I could prolong the tear down?

I will be doing a lab on this on Monday and inform you guys.

Ak,

Also I could not open the link you have provided. I guess it is for Cisco partners only and you need a CCO partner login credential. I only have a guess or ordinary user account.

Thanks a lot Hector and AK.

Chris

a.kiprawih · ‎08-25-2006

Chris,

Sorry, try the following:

VPN Link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054ed55.html#wp1042401

PIX 6.3(5) Release Notes:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html

As confirmed tested by Hector, I am keen to know your test result soon.

Rgds,

AK

hemendoz · ‎08-25-2006

Here are my configs when I tested this. Hope this helps! If so, please rate.

Thanks

a.kiprawih · ‎08-25-2006

Hi Hector,

Great! BTW, do you have the link about this feature in PIX6.3(5), i.e release notes, etc? I couldn't find it.

Rgds,

AK

hemendoz · ‎08-26-2006

Hello AK,

I didn't see this in any documentation. I figured it should work, so I tested for myself. HTH

a.kiprawih · ‎08-27-2006

Hi Hector,

Ok, at least you've tested successfully and works.

I wonder why Cisco Inc. did not mentioned/highlight it officially in the release doc or VPN-related doc? I am sure lots of Cisco customers are looking into the same feature as well. It definitely a good point to highlight.

There must be a good reason. Thanks for the info.

Rgds,

AK

PIX Site-to Site VPN using ACL with specific port destination