Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
2
Replies

PIX IPSec VPN - ACL usage, restricting down to a single port.

cscott
Level 1
Level 1

‎10-23-2003 08:12 AM - edited ‎02-21-2020 12:50 PM

I have a couple sites that have some computers that need to access the VPN, and some that dont. Instead of permitting the entire range of IP's, I want to permit specific hosts through the ACL. So it would look something like this:

Say I have IP's 172.16.25.3-10 on a remote LAN, but only .3, and .4 need access to the VPN, but I want to be able to manage my remote PIX 501 (which is .1) through the VPN as well. The network they need to access is 172.16.1.x/24 and the VPN device at this location is a PIX 515. Would I setup my access list like this on the remote 501:

access-list 101 permit ip host 172.16.25.1 172.16.1.0 255.255.255.0

access-list 101 permit ip host 172.16.25.3 172.16.1.0 255.255.255.0

access-list 101 permit ip host 172.16.25.4 172.16.1.0 255.255.255.0

crypto map examplemap 1 match address 101

access-list vpn_nonat permit ip host 172.16.25.1 172.16.1.0 255.255.255.0

access-list vpn_nonat permit ip host 172.16.25.3 172.16.1.0 255.255.255.0

access-list vpn_nonat permit ip host 172.16.25.4 172.16.1.0 255.255.255.0

nat (inside) 0 access-list vpn_nonat

Would permitting 3 hosts like that instead of just doing the entire range make me see any problems across the VPN? Performance issues by doing this? Would this cause 3 seperate SA's to be built for each host instead of just one for the whole range?

My next question concerns restricting a certain host to a port over VPN. I have hosts that all they need is access to remote desktop on a computer with a static IP over the VPN. I dont want to give them access to every port on that specific pc, only the port for remote desktop for security reasons. Anytime I enter an access like this:

access-list 101 permit tcp host 172.16.25.3 host 172.16.2.20 eq 3389

access-list 101 permit udp host 172.16.25.3 host 172.16.2.20 eq 3389

then do an

crypto map examplemap 1 match address 101

I get the following message:

WARNING: access-list has port selectors may have performance impact

What kind of performance impact can I expect? I understand that the SA will only be built when traffic to this host for this port is present...but other than that, what performance impact is there going to be? I can't have these users getting disconnected from Remote Desktop every few minutes, so if the performance impact is going to be severe, I need to find another option to do this.

Thanks in advance for the help.

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎10-23-2003 10:21 AM

The only performance impact should be delay connection start time, as both sides would need to bring up a tunnel for each new terminal services session. This would be required because the originating end would be different each time (source ip, but especially source port).

You will get one SA per connection where you include port statements in your crypto acls.

Something else to consider - allow unfettered access between the two sites for those ip addresses, but on the side with the terminal services boxes, write an acl for the inside interface of that pix that would block return traffic:

access-list inside permit tcp host 172.16.2.20 eq 3389 x.x.x.x x.x.x.x

access-list inside deny ip host 172.16.2.20 eq 3389 x.x.x.x x.x.x.x

access-list inside permit ip any any

the above would permit only tcp from host .20 originating from the term services port, block all other traffic from it, and then allow everything else.

This could reduce the # of SA's, but give you restricted access

0 Helpful

cscott
Level 1
Level 1
In response to mostiguy

‎10-23-2003 11:26 AM

Thanks for the reply!

If the goal is to keep 172.16.25.3 from communicating with anyone else on the 172.16.2.x network except 172.16.2.20 over TCP/UDP 3389 would the ACL on the pix 515 protecting the 172.16.2.x network then need to say:

access-list inside permit tcp host 172.16.2.20 eq 3389 host 172.16.25.3

access-list inside permit udp host 172.16.2.20 eq 3389 host 172.16.25.3

access-list inside deny ip any host 172.16.25.3

access-list inside permit ip any any

Then I would just make the crypto acl on the remote 501 initiating the vpn tunnel say:

access-list 101 permit ip host 172.16.25.3 host 172.16.2.20

And then just do the normal matching of the crypto acl's on both ends of the tunnel.

Is that about right?

0 Helpful
Customers Also Viewed These Support Documents