Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

PIX 501 question: How to block different ports on mulitple VPN connections

I have a PIX 501 with two site to site VPNs setup to it.  Is there a way to open different ports on each VPN connection?  

Example:

VPN 1:  ports 20,21,23 and 80 open

VPN 2: ports 104

Also, does an access list thats applied to the PIX the using the command 'access-group acl_in in interface outside', apply to VPN connections?  In another words since the packets on the VPN are encapsulated with IPSEC, are they affected by this access-list?  

Thanks in advance!

-Brad
0
bwalker1
Asked:
bwalker1
  • 2
1 Solution
 
lrmooreCommented:
Typically, no they are not affected by an interface acl. In fact, the "sysopt connection permit-ipsec" specifically bypasses any access-lists.
one way you can control the VPN traffic is with the nat zero acl, or with the crypto map "match" acl, but it is difficult at best because the acl is defining traffic that is the "return" traffic, you can't really specifically "open" certain ports on your end. On the remote site, you can restrict outbound traffic to specific ports only.
Else, you would have to remove the sysopt and restrict the traffic with an interface acl..
0
 
bwalker1Author Commented:
lrmoore, let me ask you one more item that relates to this question...

I have been asked to secure our site to site VPN so somebody on the otherside of the VPN can only access certain necessary ports.  From your answer it sounds like this is difficult.  From your professional experience, is it safe to say, that VPNs are not usually locked down by port but just by matching IP addresses....So I can get the VP of my company off my back :)

Thanks,
Brad
0
 
lrmooreCommented:
Typically, Lan-2-Lan connections are setup with full IP connectivity between the sites. This is most suitable for a company's remote sites to use a VPN as backup to primary T1, or in some cases, as primary connection back to HQ.
Placing restrictions on the VPN is more suited to the Cisco 3000 series VPN concentrator as extranet endpoint for 3rd party connections and VPN clients. You have a much finer grain of control with the concentrator than you do with the PIX..
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now