Good day to all!!
I know that in order to have establish a site-to-site VPN using 2 PIX firewalls we have to specify interesting traffic on both sides. Usually, we do the statement below:
accesslist AllowedTraffic permit ip 192.168.2.1 192.168.3.1
But I have been thinking what if we specify specific ports on the
ACL that will be used for the VPN's interesting traffic such as HTTPS? Such as the one below:
acccess-list AllowedTraffic tcp 192.168.2.1 192.168.3.1 eq 443
Comments would be fine...
Solved! Go to Solution.
Based on Cisco doc, the ACLs that you used for Site-to-Site (or LAN-to-LAN) are based on the source and destination IP addresses only, and it has to be symmetric where it should be mirroring each other on both sides of the connection.
This ACL does not give any option to specify TCP/UDP port like other extended ACL (source, destination & port).
It does work. At the very least on 6.3(5), as I've personally tested this. However, I do recall getting a warning message about taking a performance hit. Hope that helps! If so, please rate.
Great news, as I've been looking on this feature as well. At least, the improvement helps us to specify detail source of interesting traffic with specific port no.
Can you provide the link, as the following PIX 6.3(5) Release Notes doesn't mentioned it.
If that would work...
I guess there would be times if there will be no interesting traffic to that specified between VPN peers there would be a tear down of the VPN connection. And would there would be a tunnel buildup again.
If so how is there a way I could prolong the tear down?
I will be doing a lab on this on Monday and inform you guys.
Also I could not open the link you have provided. I guess it is for Cisco partners only and you need a CCO partner login credential. I only have a guess or ordinary user account.
Thanks a lot Hector and AK.
Sorry, try the following:
PIX 6.3(5) Release Notes:
As confirmed tested by Hector, I am keen to know your test result soon.
Great! BTW, do you have the link about this feature in PIX6.3(5), i.e release notes, etc? I couldn't find it.
I didn't see this in any documentation. I figured it should work, so I tested for myself. HTH
Ok, at least you've tested successfully and works.
I wonder why Cisco Inc. did not mentioned/highlight it officially in the release doc or VPN-related doc? I am sure lots of Cisco customers are looking into the same feature as well. It definitely a good point to highlight.
There must be a good reason. Thanks for the info.