Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
1
Replies

PIX 501 VPN + tcp ports

rob
Level 1
Level 1

‎06-07-2005 05:08 AM - edited ‎02-21-2020 01:48 PM

Hi all,

I have a vpn between my 2 pix 501's. How would I allow traffic to flow on certain ports? I'm trying to get ports 21 and 25 up and running and although the vpn seems to work fine, I don't seem to be able to pass traffic on any ports.

When I try and include them in the access-list, I get:-

WARNING: access-list protocol or port will not be used

and

WARNING: access-list has port selectors may have performance impact

any ideas?

cheers very much!

Rob

Labels:
0 Helpful
1 Reply 1

ROBERTO TACCON
Level 4
Level 4

‎06-07-2005 06:49 AM

You need to change the configuration of the default configuration command:

connection permit-ipsec

Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.

sysopt connection permit-ipsec

Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements.

An access-list or conduit command statement must be available for inbound sessions.

By default, any inbound session must be explicitly permitted by a conduit or access-list command statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command.

with

no connection permit-ipsec

and apply an access-list fot the IPSEC traffic for example:

!

access-list incoming->outside remark ## VPN SITE TO SITE

access-list incoming->outside permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq 21

access-list incoming->outside permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq 25

!

access-group incoming->outside in interface outside

!

access-list NoNat-INSIDE permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

!

nat (inside) 0 access-list NoNat-INSIDE

!

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026942

Bye.

0 Helpful
Customers Also Viewed These Support Documents