How-to restrict traffic exiting VPN tunnel to certain hosts / ports??

Discussion in 'Cisco' started by ponga, Jun 30, 2009.

  1. ponga

    ponga Guest

    Grettings. My Cisco CLI is a bit rusty, so any help would be

    We have an IPSEC tunnel terminating on our PIX whereby a third party
    gains access to a certain resource on our LAN. Which is well and good
    and traffic flows fine. However, (I have not verified this
    empirically) it seems that anything coming across the VPN tunnel
    destined to our network is able to access every resource for which a
    route exits... this I absolutely do not want. I wish this were simple
    as I want to apply an ACL to restrict the traffic entering our network
    via the tunnel to just one host/port. From trial and error and by what
    I have been reading... this seems impossible. I find that hard to
    believe given how capable the PIX is...

    Is this in fact possible to do with an ACL and if so, how?

    ponga, Jun 30, 2009
    1. Advertisements

  2. ponga

    bod43 Guest

    I would imagine that you can create inbound and or outbound
    access-lists and apply them to the inside interface of the

    Check access-list command to cerate access list and
    access-group to apply it to the interface.

    access-list acl_out permit tcp any host eq ftp
    access-list acl_out deny any any

    access-group acl_out out interface interface_name
    bod43, Jul 1, 2009
    1. Advertisements

  3. ponga

    Chino Guest

    route exits... this I absolutely do not want. I wish this were simple
    This could be done, but you will need to create an access-list for each of
    the inside and DMZ interfaces you want to limit traffic to.
    The solution I prefer is to remove the "sysopt permit ipsec" command, so you
    are forcing PIX to match inbound IPSec packets against the outside interface
    access-list. Then you can simply add rules to the outside ACL to restrict
    Chino, Jul 1, 2009
  4. ponga

    ponga Guest

    See, I was thinking about applying an ACL the egress traffic on the
    inside interface, this approach mentioned by both yourself and Chino.
    But the this whole `sysopt permit ipsec` thing has me wondering. See,
    I don't have that line present in my config. I would rather apply the
    ACL to the outside interface so I will look at doing that. The part I
    am getting confused is I have some ACL's that have that are "matched"
    to a certain tunnel... such as:
    crypto map Reservations 11 ipsec-isakmp
    description Tunnel toNoWhere
    set peer
    set transform-set ESP-3DES-SHA1
    match address 106
    I'm not sure what role this "match address" business plays, is that
    like "access-group"'ing an ACL to an interface?

    Thanks for the tips though, makes sense!!!
    ponga, Jul 1, 2009
  5. ponga

    Uli Link Guest

    access-list 106 describes the traffic to be encrypted through the crypto

    If you want to restrict traffic after or before encrytion via crypto map
    refer to

    Perhaps better want a logical tunnel interface using ipsec profiles and
    tunnel protection. The config is more straightforward and also support
    routing protocols.
    Uli Link, Jul 1, 2009
  6. ponga

    ponga Guest

    Got it!! That's the part I was missing. I was not sure what the
    meaning of that "match address" line was doing. Now I understand.
    Also, without the "sysopt permit ipsec" line, I *GUESS* that I am now
    able to apply rules to the ACL that is applied to the outside
    interface and therefore filter with that ACL. I'm guessing that's how
    that works. I've added rules to that that ACL, but I am not seeing any
    counts for the rules I have added, though traffic is still flowing.
    Perhaps clear the crypto sa's... don't know. But I think I have a
    handle on it now.

    Thanks to EVERYONE that replied!!
    ponga, Jul 1, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.