Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
4
Replies

Site to Site with PIX 515's

laurence-smith
Level 1
Level 1

‎11-16-2004 02:39 AM - edited ‎02-20-2020 11:45 PM

Hi,

Is it possible to restrict traffic types over a site to site vpn with PIX. I am looking to restrict traffic to smtp, ping and pop3.

I have the vpn working at the moment, but every time I change the access-list it stops working! I have also tried applying an inbound access-list on the remote site but no joy.

I would like to know if this is possible?

Regards

Bryan

0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎11-16-2004 03:30 AM

Hello Bryan,

yes it is possible to restrict traffic going through an IPSEC tunnel.. The crypto ACL is the one that you got to change.. This specifies the interesting traffic which will initiate the tunnel.. you can change this and let us know !!

crypto map mymap 10 match address 100

access-list 100 permit tcp 10.1.1.0 255.255.255.0 (local network) host 192.168.1.1 (remote server) eq 25

access-list 100 permit tcp 10.1.1.0 255.255.255.0 host 192.168.1.1 eq 110

the same should be configured on the other end, so as the interesting traffic matches on both the sides !!

All the best !!

0 Helpful

laurence-smith
Level 1
Level 1
In response to sachinraja

‎11-16-2004 04:21 AM

Hi,

Thanks for the info. I have been doing this and the tunnel initiates but does not forward traffic. The access-list shows the rule is being hit.

My nat 0 rule is set site to site 192.168.1.0/24 to 192.168.2.0/24.

But if i go back to my original config of subnet to subnet for the crypto map everything works ok so i know its the access-list changes that stop things working. Both ends are setup the same.

I am at a loss really. Any ideas welcome.!

Regards

0 Helpful

jmia
Level 7
Level 7
In response to laurence-smith

‎11-16-2004 04:40 AM

Laurence,

Can you post your pix config please, make sure to take out any sensitive info. And also output from debug crypto ipsec and debug crypto isakmp after you make the changes to the access-list.

Issue clear crypto ipsec sa and clear crypto isakmp sa before running the debug, try a simple ping from your pix to the other pix with the modified ACLs(maksure that you don't have any icmp deny statements on both sides).

Post your output here or if you like mail to me at:

jmia@ohgroup.co.uk

Jay

0 Helpful

laurence-smith
Level 1
Level 1
In response to jmia

‎11-16-2004 06:03 AM

Hi Jay,

I enclose the central and remote site configs with the modified crypto acl's. The tunnel will initiate with this but will not forward traffic.

If i set the crypto acl back to subnet to subnet it works fine..!

I have found an extract in the manual which states that inbound filters on the interface should be used to control traffic..this makes the config a lot more complicated as i thought i could do it with the acl for the crypto.

Regards

Preview file
3 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card