Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
4
Replies

PIX and ASA Site to Site (ACLs)

Go to solution
Sighclops
Level 1
Level 1

‎11-15-2011 09:33 AM

I am trying to setup a site to site VPN tunnel between my PIX515 (6.3) to a Vendor ASA 5510. We can get the tunnel up when the ACL match is full ip but when we try to just use TCP and a specific port nothing comes through. Any thoughts? Should I be able to restrict the interesting traffic to what is only needed? I am only looking for the ASA side to access a resource on the PIX side on TCP 1521. The PIX side does not need to access anything on the ASA side.

PIX Side x.x.x.x      ASA side y.y.y.y

This ACL works...

PIX

access-list vendor permit ip host x.x.x.x  host y.y.y.y

ASA

access-list vendor permit ip host y.y.y.y  host x.x.x.x

This ACL does not...

PIX

access-list vendor permit TCP host x.x.x.x  eq 1521 host y.y.y.y

ASA

access-list vendor permit TCP host y.y.y.y host x.x.x.x eq 1521

Phase 1 Isakmp comes up fine, just fails on the Ipsec data transfer.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick0711
Level 3
Level 3
In response to Sighclops

‎11-15-2011 11:57 AM

No, only 7.X code versions support the use of tunnel-groups and group-policies which are necessary to implement VPN filtering.

I would suggest filtering traffic at the ASA becauase on the PIX, you would have to remove 'sysopt-connection permit-ipsec' command (if it's not removed already) to begin filtering on the outside interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Patrick0711
Level 3
Level 3

‎11-15-2011 10:24 AM

Adding port and protocol information to the crypto access list is not the correct way to restrict traffic.  Use an interface access list on the ASA or apply a VPN filter to a group policy and reference it in your tunnel-group.

0 Helpful

Go to solution
Sighclops
Level 1
Level 1
In response to Patrick0711

‎11-15-2011 10:48 AM

Do you know if the PIX 6.3 supports the VPN filter group policy?

0 Helpful

Go to solution
Patrick0711
Level 3
Level 3
In response to Sighclops

‎11-15-2011 11:57 AM

No, only 7.X code versions support the use of tunnel-groups and group-policies which are necessary to implement VPN filtering.

I would suggest filtering traffic at the ASA becauase on the PIX, you would have to remove 'sysopt-connection permit-ipsec' command (if it's not removed already) to begin filtering on the outside interface.

0 Helpful

Go to solution
Sighclops
Level 1
Level 1
In response to Patrick0711

‎11-15-2011 12:27 PM

Very good. Thanks for clarifying!

0 Helpful
Customers Also Viewed These Support Documents