Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2L IPSEC and Dynamic VPN Clients PIX 8.x

Hi,

Hope someone can help. I have a PIX setup for several fixed L2L IPSEC VPNs and also allowed Cisco VPN clients to VPN in. I have found that if traffic on one of the fixed VPNs doesnt match its access list it fires up a connection using the dynamic map rather than just dropping the traffic.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set set2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address a1
crypto map mymap 20 set peer x.x.x.1
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap 30 set security-association lifetime seconds 28800
crypto map mymap 30 set security-association lifetime kilobytes 4608000
crypto map mymap 40 match address a2

crypto map mymap 40 set peer x.x.x.2
crypto map mymap 40 set transform-set set2
crypto map mymap 40 set security-association lifetime seconds 28800
crypto map mymap 40 set security-association lifetime kilobytes 4608000
crypto map mymap 40 set nat-t-disable
crypto map mymap 60000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

access-list a2 extended permit tcp host 10.0.3.99 192.168.6.0 255.255.254.0
access-list a2 extended permit tcp host 10.0.3.100 192.168.6.0 255.255.254.0

any idea as to why that would happen?

thanks.

7 REPLIES

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

Hi,

When a VPN request connection comes to the PIX, the PIX will attempt to match it against the policies in sequential order.

If it does not find a match on the specific crypto map for the peer, it will continue and find a match on the dynamic crypto map for the VPN clients, since it will accept any policies with any interesting traffic (unless restricted).

To fix this, the best is to ensure that all the fixed L2L tunnels terminated on the PIX have the ACLs for interesting traffic defined exactly the samee  way on both ends of the tunnel.

Federico.

New Member

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

Thats ok at the moment as I have control over both ends but what if I didnt? Is it possible to put a match ACL on a dynamic map? The IPs assigned to the client VPNs are a range from the PIX I have defined. i.e. 10.0.50.0/24

thanks

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

That is correct.

If you do not have control over the other end, you can apply an ACL to the dynamic crypto map.

In this case, since you have control on both sides, there's no need for that.

Federico.

New Member

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

How would I go about constructing an ACL for the dynamic, would it be

access-list dynamic allow ip 0.0.0.0 0.0.0.0 10.0.50.0 255.255.255.0 ?

or something?

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

Under the dynamic crypto map, you have the option to specify an ACL as with the static crypto maps:

For example:

You create the ACL named acl-name and apply it to the dynamic crypto map:

crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route

crypto dynamic-map dynmap 10  match address acl-name

Federico.

New Member

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

Hi,

yup understand that bit but when you look at the proxy IDs for the remote clients its usually local ident 0.0.0.0 remote ident 10.0.50.x

thanks

Re: L2L IPSEC and Dynamic VPN Clients PIX 8.x

Yes,

The remote VPN clients will have a local ident 0.0.0.0 because you can't know before hand where all the VPN clients are going to come from.

So, there's no point in restricting the IP addresses from where the remote VPN client connections can be established (unless you want to do it like this).

For ths L2L VPNs, need to make sure the interesting traffic is a mirror from the other end, in this way only the traffic specified would make it through the tunnel.

You can differentiate the internal access that has each L2L and remote VPN client connection.

So, if somebody is coming from a L2L peer VPN, it would only have access to the resources specified in the ACL for that VPN.

If somebody comes from that IP, but using the VPN client software, then will match against the dynamic crypto map.

Federico.

321
Views
0
Helpful
7
Replies