PIX 501 question: How to block different ports on mulitple VPN connections

Posted on 2004-11-13
Last Modified: 2013-11-16
I have a PIX 501 with two site to site VPNs setup to it.  Is there a way to open different ports on each VPN connection?  


VPN 1:  ports 20,21,23 and 80 open

VPN 2: ports 104

Also, does an access list thats applied to the PIX the using the command 'access-group acl_in in interface outside', apply to VPN connections?  In another words since the packets on the VPN are encapsulated with IPSEC, are they affected by this access-list?  

Thanks in advance!

Question by:bwalker1
    LVL 79

    Accepted Solution

    Typically, no they are not affected by an interface acl. In fact, the "sysopt connection permit-ipsec" specifically bypasses any access-lists.
    one way you can control the VPN traffic is with the nat zero acl, or with the crypto map "match" acl, but it is difficult at best because the acl is defining traffic that is the "return" traffic, you can't really specifically "open" certain ports on your end. On the remote site, you can restrict outbound traffic to specific ports only.
    Else, you would have to remove the sysopt and restrict the traffic with an interface acl..
    LVL 11

    Author Comment

    lrmoore, let me ask you one more item that relates to this question...

    I have been asked to secure our site to site VPN so somebody on the otherside of the VPN can only access certain necessary ports.  From your answer it sounds like this is difficult.  From your professional experience, is it safe to say, that VPNs are not usually locked down by port but just by matching IP addresses....So I can get the VP of my company off my back :)

    LVL 79

    Expert Comment

    Typically, Lan-2-Lan connections are setup with full IP connectivity between the sites. This is most suitable for a company's remote sites to use a VPN as backup to primary T1, or in some cases, as primary connection back to HQ.
    Placing restrictions on the VPN is more suited to the Cisco 3000 series VPN concentrator as extranet endpoint for 3rd party connections and VPN clients. You have a much finer grain of control with the concentrator than you do with the PIX..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now