topic Re: Port based restrcition in VPN in Network Security

Port based restrcition in VPN

ankurs2008 — Mon, 11 Mar 2019 14:31:55 GMT

We are having a PIX 6.3(3) firewall on which lot of Site to Site VPNs are configured.The below is a crypto ACL which needs to be restricted on a port basis ; however when we configure it for a port basis it doesnot works and we have to continue the IP based access.I have read that port based restriction is possible for the S2S tunnels with the ACE feature of the PIX 7.0 and above ,please let us know if i can go and configure the same . Also is there any possibility of restricting the S2S Crypto ACL on a port basis on versio 6.3(3).

access-list S2SVPN permit ip host 10.25.X.X 192.168.3.2 255.255.255.255

access-list S2SVPN permit ip host 10.25.X.X 192.168.1.10 255.255.255.255

Re: Port based restrcition in VPN

ankurs2008 — Mon, 05 Jan 2009 20:23:40 GMT

please help me on this

Re: Port based restrcition in VPN

acomiskey — Mon, 05 Jan 2009 20:43:34 GMT

Leave the crypto acl as ip. Create a traditional interface access list to filter the traffic. Then to allow the interface acl to actually work, you need to disable sysopt connection permit-ipsec. This will stop all your ipsec traffic from bypassing your interface acls.

Re: Port based restrcition in VPN

ankurs2008 — Tue, 06 Jan 2009 08:50:28 GMT

Thanks a lot .Please tell me if there is any specific reason to let the Crypto ACLs IP based only . Also the option you have told fits in 6.3(3) and 6.3(5) however if we plan to upgrade the PIX to 7.0 , can we put port based restriction according to group-policy / tunnel group feature ?If yes , do we need to disable " sysopt connection permit-ipsec" for 7.0 also (while configuring ACE)?

Re: Port based restrcition in VPN

acomiskey — Tue, 06 Jan 2009 13:56:22 GMT

Yes you can do it in 7, or you can use the vpn-filter feature. If you use vpn-filter, you leave the sysopt enabled.

Re: Port based restrcition in VPN

ankurs2008 — Tue, 06 Jan 2009 15:11:14 GMT

Thanks a lot for resolving my query ; however i still have one question which iam trying hard to figure out is if there is any specific reason to let the Crypto ACLs IP based only .

Re: Port based restrcition in VPN

sachinraja — Tue, 06 Jan 2009 21:38:19 GMT

Hello Ankur

Really nice question 🙂

We generally tend to leave the ACL's to IP based, to reduce complexity ! It just reduces the processing power of the router to a great extent.. It is simple, u know.. and the issue is, the crypto ACL's have to match between the source and destination.. on a remote branch it might be logical to have a port based ACL, but think of a DC, where many tunnels are terminating.. it would be a big nightmare for the administrator to have port based crypto ACL's in that case.. it can also cause relatively high CPU usage if IP based ACL's are not used !! Hence I would recommend you to stick on with IP based ACL's and restrict access on the internal interface using standard ACL's, as the other poster suggested..

Hope this helps.. all the best..

Raj

Re: Port based restrcition in VPN

ankurs2008 — Wed, 07 Jan 2009 11:54:00 GMT

hi raj

this is not the answer i am looking for as the question of feasibility to put in a large DC arises when at least port based Crypto ACL works ,the issue is that it doesnot works at all The IP based crypto ACL works with "sysopt connection permit-ipsec" command , however it doesnot works if TCP / UDP is specified in place of IP access in Crypto ACLS

Re: Port based restrcition in VPN

sachinraja — Wed, 07 Jan 2009 20:29:23 GMT

Ankur

I think your question was "is there any specific reason to let the Crypto ACLs IP based only " for which I had given a reply.. If your question was something different, I would have answered appropriately.. 🙂

In any case, theoritically it should work.. what TCP ports are you trying to put on the crypto ACL ? with the normal TCP ports of the application, you must also allow protocols like icmp etc, to make sure you keep the tunnel alive... The IPSEC tunnel is basically built, when any traffic is destined to a particular destination, with a particular port, defined in the crypto ACL !

Can you explain me your requirement ? what kind of application ? Do you have the configs that you had tested for port based ACL ?

Regards

Raj

Re: Port based restrcition in VPN

ankurs2008 — Fri, 09 Jan 2009 07:55:51 GMT

Following are the 2 ACLs.IP based Crypto ACL works while port based Crypto ACL doesnot

IP based Crypto ACL

access-list S2SVPN permit ip host 10.25.1.3 host 192.168.3.2

access-list S2SVPN permit ip host 10.25.1.4 host 192.168.1.10

Port based Crypto ACL

access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22

Regards

Ankur

Re: Port based restrcition in VPN

ankurs2008 — Tue, 13 Jan 2009 16:51:55 GMT

i have sent the config , please respond to this

Re: Port based restrcition in VPN

ankurs2008 — Wed, 21 Jan 2009 07:48:01 GMT

can some body please throw some light on this

Re: Port based restrcition in VPN

pim.sijnja — Thu, 22 Jan 2009 15:47:53 GMT

Hi,

The only thing I can think of is that the ACL's do not match on both sides of the VPN. If one side uses port based ACL and the other uses IP based, the proxy-id's will not match and the VPN will not work.

Re: Port based restrcition in VPN

ankurs2008 — Fri, 23 Jan 2009 20:13:49 GMT

i ensure that Both the sides are using mirror images whether it is IP based crypto ACL or port based crypto ACL .The only thing is latter doesnot works .

Re: Port based restrcition in VPN

acomiskey — Fri, 23 Jan 2009 20:30:21 GMT

Ok, so if you used the port based acl

access-list S2SVPN permit tcp host 10.25.1.3 host 192.168.3.2 eq 22

access-list S2SVPN permit tcp host 10.25.1.4 host 192.168.1.10 eq 22

your mirror on the other end would have to be...

access-list S2SVPN permit tcp host 192.168.3.2 eq 22 host 10.25.1.3

access-list S2SVPN permit tcp host 192.168.1.10 eq 22 host 10.25.1.4

Is this what you're trying to do?