Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
2
Replies

VPN access-list confusion

ramiro
Level 1
Level 1

‎06-11-2004 12:34 PM

Hi all,

My confusion is the following one.

I have an environment of test for VPN between W2K PC and Cisco PIX 525.

Everything works well, but what I want to know is if the access list associated with the crypto map (vpn-prueba) allows traffic bidirectionally or only traffic of exit?

access-list vpn-prueba permit tcp 200.40.20.0 255.255.255.128 host 200.40.20.120

crypto map outside 8 ipsec-isakmp

crypto map outside 8 match address vpn-prueba

crypto map outside 8 set peer 200.40.20.120

crypto map outside 8 set transform-set 3des

Thanks in advance,

R.@.M.

Labels:
0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎06-14-2004 08:27 AM

The access-list will allow for bi-directional traffic, only under the condition that it is used only for the crypto map to define interesting traffic. If you apply the access-list to an interface as well, then the normal pix acl rules are followed.

Interesting traffic is defined as what needs to be protected by IPSec and the source host/network is what is behind the pix. I.E., you need to have what is known as mirror-image acls defined on the win pc. Here is how the acl on the pix is interpreted:

If traffic from 200.40.20.0/25 is sent to the 200.40.20.120 host, then the pix will apply IPSec and direct it to the peer (which is also 200.40.20.120). When the pix receives traffic from the peer it will de-encrypt and examine if the traffic is sourced from 200.40.20.120 and destined to 200.40.20.0/25. If so, then it will be forwarded, otherwise it will issue some ipsec error messages because SA's for other source/dest pairs are not included thus signifying an IPSec process error.

Using mirror-image acls, the win pc will have an access-list that is the inverse of the pix: permit tcp source host 200.40.20.120 dest network 200.40.20.0 255.255.255.128 for traffic to peer pix-ip-address. For windows, using the win os ipsec client, there is another acl that needs to match the pix to allow for traffic in the other direction and the peer is the win pc interface address.

I hope this helps.

0 Helpful

ramiro
Level 1
Level 1
In response to ehirsel

‎06-14-2004 11:22 AM

Ok, thanks in advance for your help.

Now, how can I restrict to the PC W2K the access to the resources of my network?, let's say that only it should have access to certain machines across Telnet?.

The W2K PC has the IPSec settings established across the Local Security Policies of Windows, and what I want is to control the access to my resources by means of specific services, and not that have access across any service, all that on the same IPSec solution.

Thanks again,

R.@.M.

0 Helpful
Customers Also Viewed These Support Documents