08-24-2006 10:18 PM - edited 02-21-2020 02:35 PM
Good day to all!!
I know that in order to have establish a site-to-site VPN using 2 PIX firewalls we have to specify interesting traffic on both sides. Usually, we do the statement below:
accesslist AllowedTraffic permit ip 192.168.2.1 192.168.3.1
But I have been thinking what if we specify specific ports on the
ACL that will be used for the VPN's interesting traffic such as HTTPS? Such as the one below:
acccess-list AllowedTraffic tcp 192.168.2.1 192.168.3.1 eq 443
Comments would be fine...
Thanks...
Chris
Solved! Go to Solution.
08-25-2006 05:01 PM
Here are my configs when I tested this. Hope this helps! If so, please rate.
Thanks
08-24-2006 11:00 PM
Hi Chris,
Based on Cisco doc, the ACLs that you used for Site-to-Site (or LAN-to-LAN) are based on the source and destination IP addresses only, and it has to be symmetric where it should be mirroring each other on both sides of the connection.
This ACL does not give any option to specify TCP/UDP port like other extended ACL (source, destination & port).
Rgds,
AK
08-24-2006 11:01 PM
Hello,
It does work. At the very least on 6.3(5), as I've personally tested this. However, I do recall getting a warning message about taking a performance hit. Hope that helps! If so, please rate.
Thanks
08-25-2006 12:03 AM
Hi Hector,
Great news, as I've been looking on this feature as well. At least, the improvement helps us to specify detail source of interesting traffic with specific port no.
Can you provide the link, as the following PIX 6.3(5) Release Notes doesn't mentioned it.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html
Rgds,
AK
08-25-2006 12:10 AM
If that would work...
I guess there would be times if there will be no interesting traffic to that specified between VPN peers there would be a tear down of the VPN connection. And would there would be a tunnel buildup again.
If so how is there a way I could prolong the tear down?
I will be doing a lab on this on Monday and inform you guys.
Ak,
Also I could not open the link you have provided. I guess it is for Cisco partners only and you need a CCO partner login credential. I only have a guess or ordinary user account.
Thanks a lot Hector and AK.
Chris
08-25-2006 05:49 AM
Chris,
Sorry, try the following:
VPN Link:
PIX 6.3(5) Release Notes:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html
As confirmed tested by Hector, I am keen to know your test result soon.
Rgds,
AK
08-25-2006 05:01 PM
08-25-2006 09:56 PM
Hi Hector,
Great! BTW, do you have the link about this feature in PIX6.3(5), i.e release notes, etc? I couldn't find it.
Rgds,
AK
08-26-2006 07:43 PM
Hello AK,
I didn't see this in any documentation. I figured it should work, so I tested for myself. HTH
08-27-2006 02:43 AM
Hi Hector,
Ok, at least you've tested successfully and works.
I wonder why Cisco Inc. did not mentioned/highlight it officially in the release doc or VPN-related doc? I am sure lots of Cisco customers are looking into the same feature as well. It definitely a good point to highlight.
There must be a good reason. Thanks for the info.
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide