Access Lists for Pix 501

Discussion in 'Cisco' started by mpilihp, May 12, 2008.

  1. mpilihp

    mpilihp

    Joined:
    May 12, 2008
    Messages:
    1
    Hello I am attempting to create a protected tunneled network inside our corp network for security system. Using a 3825 router as the core and the tunnel endpoints are pix501s. I have the tunnel up and can pass traffic but I want to lock it down. No nat needed but I am new to pixs and dont understand how the acls are applied. I have the following which allows the traffic I want sent but now want to restrict it to only this.

    ! this is ACL used to identify traffic to encrypt
    access-list ipsec permit ip 10.200.32.0 255.255.255.0 10.200.1.0 255.255.255.0
    !
    ! ACL PERMITS THIS TRAFFIC TO NOT BE NATTED
    access-list vpn_nonat_inside permit ip 10.200.32.0 255.255.255.0 10.200.1.0 255.255.255.0
    !
    ! this acl permits in the encrypted tunnel traffic between the tunnel endpoints
    access-list vpn_nonat_outside permit esp host 10.80.141.10 host 10.90.95.1
    access-list vpn_nonat_outside permit udp host 10.80.141.10 host 10.90.95.1 eq isakmp
    !
    nat (outside) 0 access-list vpn_nonat_outside outside
    nat (inside) 0 access-list vpn_nonat_inside
    no global (outside) 1 interface
    !
    ip address outside 10.80.141.10 255.255.255.0
    ip address inside 10.200.32.1 255.255.255.0
    !
    route outside 0.0.0.0 0.0.0.0 10.80.141.1
    !
    crypto ipsec transform-set idcheck esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map secureid 1 ipsec-isakmp
    crypto map secureid 1 match address ipsec
    crypto map secureid 1 set peer 10.90.95.1
    crypto map secureid 1 set transform-set idcheck
    crypto map secureid interface outside
    isakmp enable outside
    isakmp key ###########blah address 10.90.95.1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 86400

    What I want to do is control what comes out of the tunnel on the PIX inside interface to only be from 10.200.1.0 but specific ports so an ACL for that, and also I want to restrict what goes into the tunnel from 10.200.32.x for specific ports.

    Also I want to restrict what is coming at the outside interface to only be what I have specified in teh vpn_nonat_outside interface. THis is the only way I was able to get it working is using the nat command with nat 0 level but I figure there must be away to specific acls for the interfaces itself.

    Is it:

    access-group vpn_nonat_outside in interface outside or something like that?


    Thanks

    ~ Phil
     
    mpilihp, May 12, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt

    PIX - Adding To Access Lists

    Matt, Jul 7, 2003, in forum: Cisco
    Replies:
    3
    Views:
    14,474
    Curtis M. West
    Jul 8, 2003
  2. mh
    Replies:
    6
    Views:
    606
    Roger L
    May 10, 2004
  3. Andre
    Replies:
    7
    Views:
    812
    Andre
    Feb 20, 2005
  4. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    511
    VWWall
    Oct 21, 2004
  5. Giuen
    Replies:
    0
    Views:
    1,528
    Giuen
    Sep 12, 2008
Loading...

Share This Page