Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX VPN Questions

Posted on 2004-04-09
3
Medium Priority
?
429 Views
Last Modified: 2010-04-12
Greetings,
I am relatively new to cisco VPNs.  I have a couple of questions.

o-How do I limit access to what services are provided across the VPN tunnel.
    * I assume that the access list used for the 'address match' statement is how one would accomplish this.
    * This would make sense, but I think that I read somewhere that this list is used ONLY to determine which
    * IP addresses are allowed through and nothing else.  This seems stupid though.

o-How do I definitively certify that specific traffic is making it through the tunnel (ftp for example).

o-What is the proper proceedure to 'tear down' a vpn tunnel on a central site PIX that can't be reloaded.

Any help would be appreciated.

Thanks,
Mike
0
Comment
Question by:mtetzlaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10793804
In addition to the address match statement, you should have a no_nat access list that exempts VPN traffic from NAT. You can use this to restrict traffic (the applied direction is from inside-->VPN)
I don't know of any technical reason why you can't use the address-match acl to define the encrypted traffic. It is an extended access-list and understands ports... Problem is that conversations can have random ports >1024 at the client end, so it's not really practical to use any access-list to restrict the traffic in this context.

If you use the Pix Device Manager (PDM) 3.01 GUI you can monitor VPN's to see packet counts, etc, and the wizard makes it pretty easy to set up. Simple "show access-list" will sho hit-counts on any access-list line items.

Same to tear down. If using the GUI, simply unapply the crypto map to the interface, or delete the policy and apply it. No downtime required.
 
0
 

Author Comment

by:mtetzlaff
ID: 10805444
So.....it would appear that there is no really good way to restrict what type of traffic traverses a VPN tunnel?  Doesn't sould likely.  As lrmoore mentions the 'match address' access list is an extended list.  When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?

Also, I was woring on a tunnel setup last week.  It seemd like the tunnel took FOREVER to actually come up.  After I had the config in place, I wasn't getting anything on any of the following:
o- debug crypto ipsec
o- debug crypto isakmp

and
o- show crypto isakmp sa -- didn't have an entry.

Thoughts?  Is there a certain timeframe I should ecpect to wait before a tunnel actually is attempted when interesting traffic is present?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10805491
>When you are building that list, aren't you referring to destination port numbers which would therefore allow you to be granular in your selection of traffic matching?
Yes, but remember, this is defining interesting traffic for an IPSEC tunnel, so you must also define the return traffic, with destination port now up >1024. There is no facility for stateful inspection "through" the tunnel to allow the return traffic to a request.

The tunnel will not actually show up until/unless there is actual 2-way traffic from host to host. This means that the hosts have to have routing set up as well as the tunnel..

If you have a host at side A pinging (continuous) a host at side B, and both hosts have the proper routing, and you setup the VPN correctly, it will come up almost instantaneously..
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question