01-17-2007 10:13 AM
We are going to be setting up a VPN with a business partner. Through this VPN we only want to allow FTP and HTTP traffic. Is this possible?
01-19-2007 05:09 AM
Hi
Yes it is possible. It depends on what device you are using. If a pix you can do a number of things
1) You can use sysopt connection permit ipsec command and then in your crypto map access-list you can specifu tcp rather than the more general ip ie.
access-list vpaccess permit tcp host x.x.x.x host x.x.x.x eq http
etc....
Cisco warn that using ports in your crypto map access-list can have performance implications.
2) You don't use the sysopt connection permit ipsec command. Instead you add your access-list lines to the access-list on the outside interface ie.
your crypto map access-list now says
access-list permit ip host x.x.x.x x.x.x.x
on your outside interface access-list you add
access-list outside_in permit tcp host x.x.x.x host x.x.x.x eq tcp.
This line would not allow clear text http traffic through your pix because due to the crpyto map access-list the pix realises it has to be encrypted.
HTH
01-19-2007 06:14 AM
We restrict by using a second firewall. That's seems the easiest way, but it's probably the most expensive.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide