VPN Tunnel and Port Restrictions?

Discussion in 'Cisco' started by Chas, Apr 16, 2004.

  1. Chas

    Chas Guest

    Hi. I am still learning about PIX, and I have a question:

    I have a PIX520 running 6.2(2) with 128MB RAM and 16MB Flash and I
    currently have 15 Tunnels configured and running.

    All have "Permit IP" in the access-list statements and I would like to
    change these to limit to specific ports needed for each tunnel. Most
    only need Port 23 (Telnet) but a few need 20 and 21 for FTP.

    I am under the assuption that I should only have to make the change on
    my end. Is this correct, or will similar changes need to be made on
    the firewall at the other end as well?

    Sorry if this is a stupid question, but I am learning as I go.

    Thanks
    Chas, Apr 16, 2004
    #1
    1. Advertising

  2. In article <>,
    Chas <> wrote:
    :I have a PIX520 running 6.2(2) with 128MB RAM and 16MB Flash and I
    :currently have 15 Tunnels configured and running.

    :All have "Permit IP" in the access-list statements and I would like to
    :change these to limit to specific ports needed for each tunnel. Most
    :eek:nly need Port 23 (Telnet) but a few need 20 and 21 for FTP.

    In the ACL that is used for the 'match address' clause, any ports
    you specify will be ignored (and a warning will be issued.)

    In order to limit the ports that can go out over the tunnel, you
    have to ensure that sysopt connection permit-ipsec is off. Once
    it is off, then the outgoing acl filters packets to the tunnels as well.

    For example, if you only want port 23 to go to remote network 192.168.33.x
    from local 192.168.22.x then you would code something like

    access-list vpn2remote permit ip 192.168.22.0 255.255.255.0 192.168.33.0 255.255.255.0
    crypto map xxxx 1000 match address vpn2remote

    access-list no-nat permit ip 192.168.22.0 255.255.255.0 192.168.33.0 255.255.255.0
    nat (inside) 0 access-list no-nat

    access-list in2out permit tcp 192.168.22.0 255.255.255.0 192.168.33.0 255.255.255.0 eq 23
    access-list in2out deny ip 192.168.22.0 255.255.255.0 192.168.33.0 255.255.255.0
    : other entries here, including for non-tunneled data that should be permitted
    access-group in2out in interface inside


    When permit-ipsec is not active, the traffic going over the tunnel is
    examined by the ACL for the interface it is received on (here, 'in2out'
    for the inside interface) and the traffic is not sent through the tunnel
    unless it passes that filter.


    Note that one thing you *cannot* do is send some packets encrypted and
    others non-encrypted to the same destination address. Any packet that
    doesn't pass the ACL will be dropped before a decision is made about
    tunnelling. Any packet that passes the ACL will go over the tunnel if
    the source and destination IPs match for the crypto-map ACL, with any
    port specs from that ACL being ignored.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
    Walter Roberson, Apr 16, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,075
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,096
  3. dak991
    Replies:
    1
    Views:
    942
    Walter Roberson
    Dec 4, 2004
  4. Trouble
    Replies:
    0
    Views:
    623
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    540
Loading...

Share This Page