Link to home
Start Free TrialLog in
Avatar of bwalker1
bwalker1

asked on

PIX 501 question: How to block different ports on mulitple VPN connections

I have a PIX 501 with two site to site VPNs setup to it.  Is there a way to open different ports on each VPN connection?  

Example:

VPN 1:  ports 20,21,23 and 80 open

VPN 2: ports 104

Also, does an access list thats applied to the PIX the using the command 'access-group acl_in in interface outside', apply to VPN connections?  In another words since the packets on the VPN are encapsulated with IPSEC, are they affected by this access-list?  

Thanks in advance!

-Brad
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bwalker1
bwalker1

ASKER

lrmoore, let me ask you one more item that relates to this question...

I have been asked to secure our site to site VPN so somebody on the otherside of the VPN can only access certain necessary ports.  From your answer it sounds like this is difficult.  From your professional experience, is it safe to say, that VPNs are not usually locked down by port but just by matching IP addresses....So I can get the VP of my company off my back :)

Thanks,
Brad
Avatar of Les Moore
Les Moore
Flag of United States of America image
Typically, Lan-2-Lan connections are setup with full IP connectivity between the sites. This is most suitable for a company's remote sites to use a VPN as backup to primary T1, or in some cases, as primary connection back to HQ.
Placing restrictions on the VPN is more suited to the Cisco 3000 series VPN concentrator as extranet endpoint for 3rd party connections and VPN clients. You have a much finer grain of control with the concentrator than you do with the PIX..