From: NTD (ntd100566@yahoo.com.au)
Date: Thu Sep 25 2003 - 17:09:09 GMT-3
Hi,
There are two ways to filter out the IPSec to application port number.
1 - Disable command "sysopt connection permit-ipsec" and create an access list to restrict application protocol port # to apply to the inbound outside interface or whichever the interface is used to terminate the tunnel as Dave mentioned. However, this method might introduce an other hole as if there is any mis-configuration to the access list or access list statement which includes any any. I would prefer the next method because both end is PIX device
2 - Enable command "sysopt connection permit-ipsec" and use crypto access list to restrict access to application protocol port #. The trick for this method is you "must" have matching and mirror access-lists. One end isn't enough as either end can initiate the tunnel abd both end need to agrees about what traffic will go across the tunnel.
Thanh
"Dave Swink (dswink)" <dswink@cisco.com> wrote:
Paul,
You can define interesting traffic for the IPSec tunnel by destination
and source IP addresses, but it will not use any port definitions in the
ACL. The only way I know to filter traffic by IP and port would be with
an ACL applied IN on the interface of the PIX where the traffic is
entering initially.
Dave Swink, CCIE #11678
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Todd Veillette
Sent: Wednesday, September 24, 2003 7:42 PM
To: Paul Lalonde; p.virnoche@verizon.net; ccielab@groupstudy.com
Subject: Re: Filtering PIX to PIX IPsec traffic
Actually acl's can only be applied in on a PIX.
-TV
----- Original Message -----
From: "Paul Lalonde"
To:
;
Sent: Wednesday, September 24, 2003 9:53 AM
Subject: Re: Filtering PIX to PIX IPsec traffic
> Hi Phil,
>
> When performing IPSEC VPN tunnels on PIX firewalls, you use access
> lists that define the "interesting traffic." These access lists
> specifically define what is allowed to pass through the VPN tunnel.
>
> You can either make these access lists more restrictive, or as you
> said,
you
> can apply an outbound access list on the PIX's LAN interface to filter
> unwanted IPSEC traffic before it hits the LAN.
>
> Alternatively, you can also use an 'inbound' access list on the LAN
> interface of the PIX to block return traffic... but it's not as
> intuitive
as
> the 'outbound' acl on the LAN interface.
>
> Hope this helps,
> Paul Lalonde
> CCIE #11749
>
> ----- Original Message -----
> From:
> To:
> Sent: Wednesday, September 24, 2003 9:31 AM
> Subject: OT: Filtering PIX to PIX IPsec traffic
>
>
> > Good morning-
> > Sorry for the OT, but I have one that I am having trouble figuring
> > out. I have a requirement that ALL traffic between my two sites be
> > encrypted.
> NO problem..... but how do I filter it once it gets to the terminating
PIX?
> When it comes in on the tunnel, it bypasses the inbound ACLS,..right?
> Or
can
> I have the PIX somehow filter on the existing inbound ACL?... Is my
> only option to create an ACL and put it "outbound" on the inside
> interface?
> >
> > ANY info would be greatly appreciated!!!!
> >
> > Phil
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> > ____________________________________________________________________
> > ___
> > Please help support GroupStudy by purchasing your study materials
from:
> > shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:37 GMT-3