PIX VPN Questions

Posted on 2004-04-09
Last Modified: 2010-04-12
I am relatively new to cisco VPNs.  I have a couple of questions.

o-How do I limit access to what services are provided across the VPN tunnel.
    * I assume that the access list used for the 'address match' statement is how one would accomplish this.
    * This would make sense, but I think that I read somewhere that this list is used ONLY to determine which
    * IP addresses are allowed through and nothing else.  This seems stupid though.

o-How do I definitively certify that specific traffic is making it through the tunnel (ftp for example).

o-What is the proper proceedure to 'tear down' a vpn tunnel on a central site PIX that can't be reloaded.

Any help would be appreciated.

Question by:mtetzlaff
  • 2
LVL 79

Expert Comment

ID: 10793804
In addition to the address match statement, you should have a no_nat access list that exempts VPN traffic from NAT. You can use this to restrict traffic (the applied direction is from inside-->VPN)
I don't know of any technical reason why you can't use the address-match acl to define the encrypted traffic. It is an extended access-list and understands ports... Problem is that conversations can have random ports >1024 at the client end, so it's not really practical to use any access-list to restrict the traffic in this context.

If you use the Pix Device Manager (PDM) 3.01 GUI you can monitor VPN's to see packet counts, etc, and the wizard makes it pretty easy to set up. Simple "show access-list" will sho hit-counts on any access-list line items.

Same to tear down. If using the GUI, simply unapply the crypto map to the interface, or delete the policy and apply it. No downtime required.

Author Comment

ID: 10805444 would appear that there is no really good way to restrict what type of traffic traverses a VPN tunnel?  Doesn't sould likely.  As lrmoore mentions the 'match address' access list is an extended list.  When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?

Also, I was woring on a tunnel setup last week.  It seemd like the tunnel took FOREVER to actually come up.  After I had the config in place, I wasn't getting anything on any of the following:
o- debug crypto ipsec
o- debug crypto isakmp

o- show crypto isakmp sa -- didn't have an entry.

Thoughts?  Is there a certain timeframe I should ecpect to wait before a tunnel actually is attempted when interesting traffic is present?
LVL 79

Accepted Solution

lrmoore earned 125 total points
ID: 10805491
>When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?
Yes, but remember, this is defining interesting traffic for an IPSEC tunnel, so you must also define the return traffic, with destination port now up >1024. There is no facility for stateful inspection "through" the tunnel to allow the return traffic to a request.

The tunnel will not actually show up until/unless there is actual 2-way traffic from host to host. This means that the hosts have to have routing set up as well as the tunnel..

If you have a host at side A pinging (continuous) a host at side B, and both hosts have the proper routing, and you setup the VPN correctly, it will come up almost instantaneously..

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question