Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
2
Replies

Locking down Ports over site to site VPN

jwashburn
Level 1
Level 1

‎01-17-2007 10:13 AM

We are going to be setting up a VPN with a business partner. Through this VPN we only want to allow FTP and HTTP traffic. Is this possible?

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎01-19-2007 05:09 AM

Hi

Yes it is possible. It depends on what device you are using. If a pix you can do a number of things

1) You can use sysopt connection permit ipsec command and then in your crypto map access-list you can specifu tcp rather than the more general ip ie.

access-list vpaccess permit tcp host x.x.x.x host x.x.x.x eq http

etc....

Cisco warn that using ports in your crypto map access-list can have performance implications.

2) You don't use the sysopt connection permit ipsec command. Instead you add your access-list lines to the access-list on the outside interface ie.

your crypto map access-list now says

access-list permit ip host x.x.x.x x.x.x.x

on your outside interface access-list you add

access-list outside_in permit tcp host x.x.x.x host x.x.x.x eq tcp.

This line would not allow clear text http traffic through your pix because due to the crpyto map access-list the pix realises it has to be encrypted.

HTH

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎01-19-2007 06:14 AM

We restrict by using a second firewall. That's seems the easiest way, but it's probably the most expensive.

0 Helpful
Customers Also Viewed These Support Documents