Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX and ASA Site to Site (ACLs)

I am trying to setup a site to site VPN tunnel between my PIX515 (6.3) to a Vendor ASA 5510. We can get the tunnel up when the ACL match is full ip but when we try to just use TCP and a specific port nothing comes through. Any thoughts? Should I be able to restrict the interesting traffic to what is only needed? I am only looking for the ASA side to access a resource on the PIX side on TCP 1521. The PIX side does not need to access anything on the ASA side.

PIX Side x.x.x.x      ASA side y.y.y.y

This ACL works...

PIX

access-list vendor permit ip host x.x.x.x  host y.y.y.y

ASA

access-list vendor permit ip host y.y.y.y  host x.x.x.x

This ACL does not...

PIX

access-list vendor permit TCP host x.x.x.x  eq 1521 host y.y.y.y

ASA

access-list vendor permit TCP host y.y.y.y host x.x.x.x eq 1521

Phase 1 Isakmp comes up fine, just fails on the Ipsec data transfer.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

PIX and ASA Site to Site (ACLs)

No, only 7.X code versions support the use of tunnel-groups and group-policies which are necessary to implement VPN filtering.

I would suggest filtering traffic at the ASA becauase on the PIX, you would have to remove 'sysopt-connection permit-ipsec' command (if it's not removed already) to begin filtering on the outside interface.

4 REPLIES
Bronze

PIX and ASA Site to Site (ACLs)

Adding port and protocol information to the crypto access list is not the correct way to restrict traffic.  Use an interface access list on the ASA or apply a VPN filter to a group policy and reference it in your tunnel-group.

New Member

PIX and ASA Site to Site (ACLs)

Do you know if the PIX 6.3 supports the VPN filter group policy?

Bronze

PIX and ASA Site to Site (ACLs)

No, only 7.X code versions support the use of tunnel-groups and group-policies which are necessary to implement VPN filtering.

I would suggest filtering traffic at the ASA becauase on the PIX, you would have to remove 'sysopt-connection permit-ipsec' command (if it's not removed already) to begin filtering on the outside interface.

New Member

PIX and ASA Site to Site (ACLs)

Very good. Thanks for clarifying!

352
Views
0
Helpful
4
Replies