Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Tightly controlling Extranet VPN traffic terminating on a Pix

Hi all.

My Customer has an IPSec Extranet connection between their Pix and a Checkpoint firewall.

Everything is working fine but the current VPN interesting traffic is simply identified by source and destination addresses:

access-list nonat permit ip host

access-list nonat permit ip host



crypto map rtpmap 10 match address nonat



sysopt connection permit-ipsec

Now my Customer has asked me to tightly control the traffic by limiting access from the Extrenet to only some protocols/ports.

Well, I'm wondering about the best way to do this.

Changing the access-list nonat seems to be the *easiest* way but not the way recommended by the Cisco SAFE VPN blueprint:

"Normally the networks, hosts, and ports that are allowed to traverse the tunnels are defined in the Security Policy Database (SPD), as defined by the IPSec standard. This database is populated by the use of access control lists (ACLs). These ACLs are sometimes referred to as "crypto ACLs" or "network rules." You might consider using the cryptographic ACLs for rudimentary network security access control, but Cisco does not recommend this scenario because it complicates the configuration significantly. Rather, you should use inbound ACLs on the VPN devices for site-to-site traffic. "

Can someone give me some clarifications about this statement?

How can I possibly filter *decripted* traffic once it has been let in by the "sysopt connection permit-ipsec" when it was still encrypted?

Thank you very much.


Re: Tightly controlling Extranet VPN traffic terminating on a Pi

IPSec Security Associations are one way. So, normally, for an IPSec connection, you need two, one for each direction. This gets waaaay more complicated if you start invoking individual ip protocols (tcp, udp, etc) or port numbers in your crypto acls. What happens is that an SA will need to be negotiated for each port/protocol pair = vastly increasing the # of SAs = vastly increasing troubleshooting headaches. Thus Cisco's recommendation not to do such things with crpyto ACLs.

Re: filtering decrypted traffic:

What you would be doing is more granular filtering at each router in crypto ACLs, before the data hits the IPSec pipe. This would cause tons more SAs though.

They mention inbound ACLs on vpn devices - you could have an inbounc ACL on the internal int of your pix, and filter there.

CreatePlease to create content