11-16-2004 02:39 AM - edited 02-20-2020 11:45 PM
Hi,
Is it possible to restrict traffic types over a site to site vpn with PIX. I am looking to restrict traffic to smtp, ping and pop3.
I have the vpn working at the moment, but every time I change the access-list it stops working! I have also tried applying an inbound access-list on the remote site but no joy.
I would like to know if this is possible?
Regards
Bryan
11-16-2004 03:30 AM
Hello Bryan,
yes it is possible to restrict traffic going through an IPSEC tunnel.. The crypto ACL is the one that you got to change.. This specifies the interesting traffic which will initiate the tunnel.. you can change this and let us know !!
crypto map mymap 10 match address 100
access-list 100 permit tcp 10.1.1.0 255.255.255.0 (local network) host 192.168.1.1 (remote server) eq 25
access-list 100 permit tcp 10.1.1.0 255.255.255.0 host 192.168.1.1 eq 110
the same should be configured on the other end, so as the interesting traffic matches on both the sides !!
All the best !!
11-16-2004 04:21 AM
Hi,
Thanks for the info. I have been doing this and the tunnel initiates but does not forward traffic. The access-list shows the rule is being hit.
My nat 0 rule is set site to site 192.168.1.0/24 to 192.168.2.0/24.
But if i go back to my original config of subnet to subnet for the crypto map everything works ok so i know its the access-list changes that stop things working. Both ends are setup the same.
I am at a loss really. Any ideas welcome.!
Regards
11-16-2004 04:40 AM
Laurence,
Can you post your pix config please, make sure to take out any sensitive info. And also output from debug crypto ipsec and debug crypto isakmp after you make the changes to the access-list.
Issue clear crypto ipsec sa and clear crypto isakmp sa before running the debug, try a simple ping from your pix to the other pix with the modified ACLs(maksure that you don't have any icmp deny statements on both sides).
Post your output here or if you like mail to me at:
Jay
11-16-2004 06:03 AM
Hi Jay,
I enclose the central and remote site configs with the modified crypto acl's. The tunnel will initiate with this but will not forward traffic.
If i set the crypto acl back to subnet to subnet it works fine..!
I have found an extract in the manual which states that inbound filters on the interface should be used to control traffic..this makes the config a lot more complicated as i thought i could do it with the acl for the crypto.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide