PIX 501 question: How to block different ports on mulitple VPN connections

I have a PIX 501 with two site to site VPNs setup to it.  Is there a way to open different ports on each VPN connection?  


VPN 1:  ports 20,21,23 and 80 open

VPN 2: ports 104

Also, does an access list thats applied to the PIX the using the command 'access-group acl_in in interface outside', apply to VPN connections?  In another words since the packets on the VPN are encapsulated with IPSEC, are they affected by this access-list?  

Thanks in advance!

LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Typically, no they are not affected by an interface acl. In fact, the "sysopt connection permit-ipsec" specifically bypasses any access-lists.
one way you can control the VPN traffic is with the nat zero acl, or with the crypto map "match" acl, but it is difficult at best because the acl is defining traffic that is the "return" traffic, you can't really specifically "open" certain ports on your end. On the remote site, you can restrict outbound traffic to specific ports only.
Else, you would have to remove the sysopt and restrict the traffic with an interface acl..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bwalker1Author Commented:
lrmoore, let me ask you one more item that relates to this question...

I have been asked to secure our site to site VPN so somebody on the otherside of the VPN can only access certain necessary ports.  From your answer it sounds like this is difficult.  From your professional experience, is it safe to say, that VPNs are not usually locked down by port but just by matching IP addresses....So I can get the VP of my company off my back :)

Typically, Lan-2-Lan connections are setup with full IP connectivity between the sites. This is most suitable for a company's remote sites to use a VPN as backup to primary T1, or in some cases, as primary connection back to HQ.
Placing restrictions on the VPN is more suited to the Cisco 3000 series VPN concentrator as extranet endpoint for 3rd party connections and VPN clients. You have a much finer grain of control with the concentrator than you do with the PIX..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.