cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
626
Views
0
Helpful
5
Replies

Restrict IPsec traffic over a VPN

dadoamaral
Level 1
Level 1

I have a lan-to-lan IPsec VPN working (PIX501)but i would like to restrict the access from LAN A to LAN B. I tried to use "no sysopt connection permit-ipsec" command with some changes in the ACCESS-LIST bound to the outside interface. I did not work. Ane help would be welcome (doc, previous experience, etc).

1 Accepted Solution

Accepted Solutions

i think the line 3 in the acl 101 should be:

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica

View solution in original post

5 Replies 5

puagarwa
Level 1
Level 1

what you were tring to do is totally correct...the other way is that if you want to restrict traffic at the ip layer and not layer 4 then you can restrict in the nat 0 access-list.

otherwise removing the sysopt and then restricting the access in the access-list bound to the outside interface is the right way....unfortunaltely cisco does not have any document for specifically doing this.

I have 3 access-lists as show below.

I?m adding the new command (line 3) to the 101 one.

Is that right or I should use one of the VPN access-lists?

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 3 elements

access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=21870)

access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2300)

access-list 101 line 3 permit tcp FAA 255.255.255.0 any eq citrix-ica (hitcnt=0)

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1339)

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=2891)

i think the line 3 in the acl 101 should be:

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica

It did not work.

I even tried to remove the "eq citrix-ica" to test but the thin client could not connect to Citrix server and the line did not count any hit.

Something else is missing.

Thanks anyway

IT WORK NOW!

I added more 1 line with the UDP/port 1604 to the ACL (see below) and it worked.

Thanks once more.

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 4 elements

access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=22074)

access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2329)

access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica (hitcnt=1)

access-list 101 line 4 permit udp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq 1604 (hitcnt=1)

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1360)

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=3147)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: