Encrypting TCP traffic by service using site-to-site VPN

chrispresland — Fri, 21 Feb 2020 07:37:44 GMT

Hi,

Could anyone shed some light on the following problem I am having?

I have set up a site-to-site VPN, and am able to have traffic encrypted/decrypted perfectly when protecting ALL IP traffic between local and remote hosts. My problem lies when I want to tie things down to only protecting specific tcp traffic between the hosts.

For example, I only want to protect Terminal Services tcp 3389 traffic between local and remote hosts. Is this Possible??

Below is a bit of the config that works, as well as the TCP-specific service access-lists which dont work below:

Working Config:

object-group network TS-Client-Group

description TS Clients

network-object TSC1 255.255.255.255

network-object TSC2 255.255.255.255

network-object TSC3 255.255.255.255

network-object TSC4 255.255.255.255

access-list inside_nat0_outbound permit ip host TSC1 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC2 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC3 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC4 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC1 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC2 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC3 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC4 host RFUTS1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer PIX-Peer

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address PIX-Peer netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

If I alter the protected traffic access-lists to specific TCP traffic, things stop working.

Even when adding access-lists allowing esp and isakmp traffric between all specific hosts...

access-list outside_cryptomap_20 permit tcp host TSC1 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC2 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC3 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC4 host RFUTS1 eq 3389

Re: Encrypting TCP traffic by service using site-to-site VPN

aacole — Thu, 16 Sep 2004 15:10:04 GMT

First, have you tried the crypto ACL without the `eq 3389' keyword?

I suspect that the problem lies with that port, which the above would prove/disprove.

You could use the log keyword on the crypto ACL entry, then it should output a line on the console port indicating which source and destination ports are in use.

Andy

topic Re: Encrypting TCP traffic by service using site-to-site VPN in Network Security

Encrypting TCP traffic by service using site-to-site VPN

Re: Encrypting TCP traffic by service using site-to-site VPN