?
Solved

PIX VPN Questions

Posted on 2004-04-09
3
Medium Priority
?
426 Views
Last Modified: 2010-04-12
Greetings,
I am relatively new to cisco VPNs.  I have a couple of questions.

o-How do I limit access to what services are provided across the VPN tunnel.
    * I assume that the access list used for the 'address match' statement is how one would accomplish this.
    * This would make sense, but I think that I read somewhere that this list is used ONLY to determine which
    * IP addresses are allowed through and nothing else.  This seems stupid though.

o-How do I definitively certify that specific traffic is making it through the tunnel (ftp for example).

o-What is the proper proceedure to 'tear down' a vpn tunnel on a central site PIX that can't be reloaded.

Any help would be appreciated.

Thanks,
Mike
0
Comment
Question by:mtetzlaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10793804
In addition to the address match statement, you should have a no_nat access list that exempts VPN traffic from NAT. You can use this to restrict traffic (the applied direction is from inside-->VPN)
I don't know of any technical reason why you can't use the address-match acl to define the encrypted traffic. It is an extended access-list and understands ports... Problem is that conversations can have random ports >1024 at the client end, so it's not really practical to use any access-list to restrict the traffic in this context.

If you use the Pix Device Manager (PDM) 3.01 GUI you can monitor VPN's to see packet counts, etc, and the wizard makes it pretty easy to set up. Simple "show access-list" will sho hit-counts on any access-list line items.

Same to tear down. If using the GUI, simply unapply the crypto map to the interface, or delete the policy and apply it. No downtime required.
 
0
 

Author Comment

by:mtetzlaff
ID: 10805444
So.....it would appear that there is no really good way to restrict what type of traffic traverses a VPN tunnel?  Doesn't sould likely.  As lrmoore mentions the 'match address' access list is an extended list.  When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?

Also, I was woring on a tunnel setup last week.  It seemd like the tunnel took FOREVER to actually come up.  After I had the config in place, I wasn't getting anything on any of the following:
o- debug crypto ipsec
o- debug crypto isakmp

and
o- show crypto isakmp sa -- didn't have an entry.

Thoughts?  Is there a certain timeframe I should ecpect to wait before a tunnel actually is attempted when interesting traffic is present?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10805491
>When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?
Yes, but remember, this is defining interesting traffic for an IPSEC tunnel, so you must also define the return traffic, with destination port now up >1024. There is no facility for stateful inspection "through" the tunnel to allow the return traffic to a request.

The tunnel will not actually show up until/unless there is actual 2-way traffic from host to host. This means that the hosts have to have routing set up as well as the tunnel..

If you have a host at side A pinging (continuous) a host at side B, and both hosts have the proper routing, and you setup the VPN correctly, it will come up almost instantaneously..
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month14 days, 10 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question