Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
0
Helpful
1
Replies

Encrypting TCP traffic by service using site-to-site VPN

chrispresland
Level 1
Level 1

‎09-15-2004 12:04 AM - edited ‎02-20-2020 11:37 PM

Hi,

Could anyone shed some light on the following problem I am having?

I have set up a site-to-site VPN, and am able to have traffic encrypted/decrypted perfectly when protecting ALL IP traffic between local and remote hosts. My problem lies when I want to tie things down to only protecting specific tcp traffic between the hosts.

For example, I only want to protect Terminal Services tcp 3389 traffic between local and remote hosts. Is this Possible??

Below is a bit of the config that works, as well as the TCP-specific service access-lists which dont work below:

Working Config:

object-group network TS-Client-Group

description TS Clients

network-object TSC1 255.255.255.255

network-object TSC2 255.255.255.255

network-object TSC3 255.255.255.255

network-object TSC4 255.255.255.255

access-list inside_nat0_outbound permit ip host TSC1 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC2 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC3 host RFUTS1

access-list inside_nat0_outbound permit ip host TSC4 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC1 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC2 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC3 host RFUTS1

access-list outside_cryptomap_20 permit ip host TSC4 host RFUTS1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer PIX-Peer

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address PIX-Peer netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

If I alter the protected traffic access-lists to specific TCP traffic, things stop working.

Even when adding access-lists allowing esp and isakmp traffric between all specific hosts...

access-list outside_cryptomap_20 permit tcp host TSC1 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC2 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC3 host RFUTS1 eq 3389

access-list outside_cryptomap_20 permit tcp host TSC4 host RFUTS1 eq 3389

0 Helpful
1 Reply 1

aacole
Level 5
Level 5

‎09-16-2004 08:10 AM

First, have you tried the crypto ACL without the `eq 3389' keyword?

I suspect that the problem lies with that port, which the above would prove/disprove.

You could use the log keyword on the crypto ACL entry, then it should output a line on the console port indicating which source and destination ports are in use.

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card