Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX Site-to Site VPN using ACL with specific port destination

Good day to all!!

I know that in order to have establish a site-to-site VPN using 2 PIX firewalls we have to specify interesting traffic on both sides. Usually, we do the statement below:

accesslist AllowedTraffic permit ip 192.168.2.1 192.168.3.1

But I have been thinking what if we specify specific ports on the

ACL that will be used for the VPN's interesting traffic such as HTTPS? Such as the one below:

acccess-list AllowedTraffic tcp 192.168.2.1 192.168.3.1 eq 443

Comments would be fine...

Thanks...

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Here are my configs when I tested this. Hope this helps! If so, please rate.

Thanks

9 REPLIES

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hi Chris,

Based on Cisco doc, the ACLs that you used for Site-to-Site (or LAN-to-LAN) are based on the source and destination IP addresses only, and it has to be symmetric where it should be mirroring each other on both sides of the connection.

This ACL does not give any option to specify TCP/UDP port like other extended ACL (source, destination & port).

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008054ed55.html#wp1042401

Rgds,

AK

Cisco Employee

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hello,

It does work. At the very least on 6.3(5), as I've personally tested this. However, I do recall getting a warning message about taking a performance hit. Hope that helps! If so, please rate.

Thanks

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hi Hector,

Great news, as I've been looking on this feature as well. At least, the improvement helps us to specify detail source of interesting traffic with specific port no.

Can you provide the link, as the following PIX 6.3(5) Release Notes doesn't mentioned it.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html

Rgds,

AK

Community Member

Re: PIX Site-to Site VPN using ACL with specific port destinatio

If that would work...

I guess there would be times if there will be no interesting traffic to that specified between VPN peers there would be a tear down of the VPN connection. And would there would be a tunnel buildup again.

If so how is there a way I could prolong the tear down?

I will be doing a lab on this on Monday and inform you guys.

Ak,

Also I could not open the link you have provided. I guess it is for Cisco partners only and you need a CCO partner login credential. I only have a guess or ordinary user account.

Thanks a lot Hector and AK.

Chris

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Chris,

Sorry, try the following:

VPN Link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054ed55.html#wp1042401

PIX 6.3(5) Release Notes:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html

As confirmed tested by Hector, I am keen to know your test result soon.

Rgds,

AK

Cisco Employee

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Here are my configs when I tested this. Hope this helps! If so, please rate.

Thanks

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hi Hector,

Great! BTW, do you have the link about this feature in PIX6.3(5), i.e release notes, etc? I couldn't find it.

Rgds,

AK

Cisco Employee

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hello AK,

I didn't see this in any documentation. I figured it should work, so I tested for myself. HTH

Re: PIX Site-to Site VPN using ACL with specific port destinatio

Hi Hector,

Ok, at least you've tested successfully and works.

I wonder why Cisco Inc. did not mentioned/highlight it officially in the release doc or VPN-related doc? I am sure lots of Cisco customers are looking into the same feature as well. It definitely a good point to highlight.

There must be a good reason. Thanks for the info.

Rgds,

AK

148
Views
13
Helpful
9
Replies
CreatePlease to create content