Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix-VPN traffic specification ? ? ?

Hi,

I ve a problem:

I want to make a VPN remote access from VPN3000 soft. Client and a PIX.

I've configured properly the pix and all works well.

Now, if I want to deny that the clients can contact some services on some host on the inside PIX network, how i can make?

I've experimented the same problem with a Lan to Lan, where my PIX connects an other PIX where I've no access...

The problems that I've seen are:

- the nonat access-list, for the nat 0 command, must be IP (I can't specify TCP ports)

- the crypro map match address wants again an IP access-list, I've tryed with a TCP access-list but doesn't work

(really, only in the case of remote access, I've seen that the "dynamic" crytpo map match address doesn't work neither with an IP access list, but is not a problem, I've worked with the nonat acl ).

- if I put an ACL on the inside interface, the traffic coming back from the session originated from the outside vpn client don't match them, clear the acl are statefull...

How can I solve this trouble ? ? ?

thank's in advance for the adivices.

best rgds,

Graz.

6 REPLIES
New Member

Re: Pix-VPN traffic specification ? ? ?

One option may be to not explicitly permit IPSec with the "no sysopt permit-ipsec command.

Then you can built access-lists or conduits to allow the IPsec traffic in - that way you can specify TCP.

I hope thats clear

New Member

Re: Pix-VPN traffic specification ? ? ?

Hi,

thanks but I don't think that it should works:

at the outside interface of the PiX arrive IPsec ( TCP or UDP aren't visible) packets and after the packets are decapsulated... than I think that is not possible work at the outside interface level.

Thanks,

Graz.

New Member

Re: Pix-VPN traffic specification ? ? ?

It works. I do it on our firewall.

New Member

Re: Pix-VPN traffic specification ? ? ?

Hi,

thanks very well, but I don't understand...

I'm very pleasing to you if you can specify what you've had.

I list you this simple configuration, what I can do to specify the traffic permitted in the vpn (for example: If want that the outsider, net. 172.16.0.0 can see only the 80 tcp port of the specified internal host):

ip address outside 192.168.1.xxx 255.255.255.0

ip address inside 10.10.10.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.zxc.vbv

access-list nonat permit ip host 10.10.10.10 172.16.0.0 255.255.0.0

access-list 100 permit ip host 10.10.10.10 172.16.0.0 255.255.0.0

nat (inside) 0 access-list nonat

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 100

set peer 172.22.xxx.yyy

set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp key ********** address 172.22.xxx.yyy netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

sysopt connection permit-ipsec

thanks,

Graz.

New Member

Re: Pix-VPN traffic specification ? ? ?

The following command disables ASA (conduit or Access-list) bypass for IPSec sessions. Therefore, you must then create an inbound rule for the vpn traffic to get in.

no sysopt connection permit-ipsec

If you are using conduits it would look like this.

conduit permit tcp host 10.10.10.10 eq 80 172.16.0.0 255.255.0.0

Good Luck.

New Member

Re: Pix-VPN traffic specification ? ? ?

I encountered the same problem when I was setting up PIX to PIX vpn. Instead of the access-list I used conduits to narrow down access to the appropriate tcp ports.

gilles

101
Views
0
Helpful
6
Replies
CreatePlease to create content