Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
4
Replies

VPN Tunnel

s.soni
Level 1
Level 1

‎09-27-2004 09:34 PM - edited ‎02-21-2020 01:22 PM

Hi all,

I wanted to know weather we shall be able to form an IP sec tunnel b/w a Pix and a IOS firewall where i define my interesting traffic to by a specific port base.

eg...

I want the tunnel to be fired if we have only FTP traffic b/w the end points.

If this is possible then what should be my access list....

I have tried give the access list as "access-list 100 permit tcp 10.0.0.0 255.255.255.0 eq ftp 20.20.20.0 255.255.255.0 eq ftp" or access-list 100 permit tcp 10.0.0.0 255.255.255.0 20.20.20.0 255.255.255.0 eq ftp

but with his access-list the tunnel does not get fired at all.

If i change the access list from TCP to IP with out the port no then the tunnel get fired and all the traffic flows b/w the peer..

Labels:
0 Helpful
4 Replies 4

cfenegan
Level 1
Level 1

‎09-28-2004 02:19 AM

Hello

I can't find it now but I have read somewhere in the Cisco documentation that access lists for IPSec tunnels cannot be restricted to specific protocols and/or ports. You can specify IP only as I recall. This may well be your problem.

You will have to use access-lists on your inside interfaces to control exactly which protocols/ports can be sent across the tunnel.

Hope this helps

Clive

0 Helpful

jahilnt
Level 1
Level 1
In response to cfenegan

‎09-28-2004 02:26 AM

no no

cisco pix and IOS support tcp/udp port based intresting traffic filtring. for tunnling you are using ipsec?

if you are using ipsec in policy you can define access list for intresting traffic with udp/tcp ports.

0 Helpful

s.soni
Level 1
Level 1
In response to jahilnt

‎09-28-2004 02:44 AM

Hi,

Thanks for the reply.

I am using IPSec Site-to-Site VPN tunnel.

Have you tried defining interesting Traffic via TCP Ports no..... If yes, Can you pls send me the working configuration....

As i have tried this at my place and it does not seem to work and if the change my Access-list from TCP Port base to IP base my tunnel fires immediately.

Soni

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎09-28-2004 05:43 AM

I think the major issue with the access list that you tried for port based interesting traffic is that you specified eq ftp for both source and destination addresses. But the request to initiate FTP has a high number port as the source and ftp as the destination. And responses have ftp as the source and high numbered port as the destination. Try the access list specifying ftp as the source or destination (depending on how you want traffic to flow) but not both.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents