Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Where are VPN ACL's normally configured ???

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
I've just created a VPN between 2 PIX boxes. We've defined interesting traffic using an ACL, however we want to control what ports go through (ie SMTP, POP3 etc) but can't seem to do it. We have a 506 at a remove site and a 515 at head office. I created an inbound ACL on the inside interface of the 506 to control these. Then I created an inbound ACL on the 515 on the outside interface. However, when we done this everything was going through - even ports that were blocked. We could even see the hit count on the deny any any line going up. Although I've read somewhere here this morning that VPN traffice ignores ACL's ?? But if that's the case why does it increase the hit count?

Anyway, after this we thought that perhaps there was a session open and that was allowing these prohibited connections through. So we shutdown and brought back up again the outside interface on the 515. When we done th is the VPN woudln't come up any more, phase one was successful but phase 2 failed - the logs said it was blocked by ACL. When we removed the inbound ACL on the outside interface of the 515 the VPN came up again. So where is it that we're supposed to put this ACL? What is the norm?
 
Sort by date Sort by votes
You would control traffic using access-lists on the INSIDE interface of the each firewall. Let's say you have an IP range behind on firewall that is 192.168.1.0 and the IP range on the opposite end is 172.16.1.0. If you wanted to restrict only SMTP and POP3 going through the VPN tunnel, but allow all ports out to the Internet, the following commands would do it:

access-list outbound permit tcp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq pop3
access-list outbound deny ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outbound permit ip any any
access-group outbound in interface inside

... and you would essentially do the same (but with source and dest IPs reversed) on the opposite firewall.
 
Upvote 0 Downvote
OK I done that but we've got problems. Because of the sysopt connection permit-ipsec all VPN traffic is blocked - even though the ACL in question is on the inside interface. If we put no sysopt connection permit-ipsec the ACL blocks the IPSEC connection and the VPN never gets initiated. I would have thought that by the time the traffic hits the inside interface it's no longer considered to be VPN traffice. Seing that when it's leaving the route PIX it's not considered to be VPN traffic until after it's gone through the inside (in) ACL? Does that make sense? There must be some way to control VPN traffic surely?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
850
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
365
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
290
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
231
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top