04-26-2007 05:03 PM
Howdy, Y'all-
I have a Netscreen ISG2000 which is trying to host a point to point VPN with an ASA running v7.1.
On the Netscreen side, I've configured a "policy-based" VPN, which is expecting only HTTPS traffic over the tunnel. Therefore, in IKE negotiation, it expects the proposal to only include IP proto 6.
On the ASA side, the administrator (not my coworker, and I have no access) isn't seeing a place to define the outbound allowed protocols for the IKE proposal.
I can see that there is supposed to be an ACL that is tied to the crypto-map, which specifies the traffic which should be routed to the tunnel. I suspect that it is now saying "access-list (1) extended permit ip ?", which is allowing all IP protos over the tunnel.
What I want to do is something like "access-list (1) extended permit tcp .... eq 443".
Can anyone confirm that this will force the ASA to specify that it's only TCP that will be passed in the proposal?
Thanks!
Solved! Go to Solution.
04-27-2007 02:52 AM
Hi,
Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...
In the ASA he will have the access-list
access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443
crypto map mymap 10 match address test
plz rate if this helps!
04-27-2007 02:52 AM
Hi,
Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...
In the ASA he will have the access-list
access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443
crypto map mymap 10 match address test
plz rate if this helps!
05-01-2007 11:14 PM
Thanks! Worked like a charm.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: