PIX to PIX point to point VPN lockdown / limit traffic

Hi:  have two Pix with point to point VPN working fine.  On the "master" pix, would like to limit the access from/to the remote pix.  Here are some of the network layouts.

remote pix internal Net:   192.168.100.0 255.255.255.192
master pix internal net:   172.17.32.0   255.255.224.0

Now, here are the crypto setups
-------------------------------

crypto map 0-Outside_map 299 match address 0-Outside_cryptomap_Store299
crypto map 0-Outside_map 299 set peer 11.22.33.44

crypto dynamic-map 0-Outside_dyn_map 299 match address 0-Outside_cryptomap_dyn_Store299

access-list 0-Outside_cryptomap_Store299 extended permit ip 172.17.32.0 255.255.224.0 192.168.100.0 255.255.255.192

access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip 172.17.32.0 255.255.224.0 172.17.48.0 255.255.255.0
access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip 192.168.0.0 255.255.0.0 172.17.48.0 255.255.255.0

-------------------------------

So I then tried to lock down the traffic by using ACLs on the outside interface of the master.

access-list 0-Outside_access_in remark Store to testhost only test
access-list 0-Outside_access_in extended permit ip 192.168.0.0 255.255.0.0 host testhost

----------------------------------

But, the traffic is still going from the remote to the entire 172.17

Since this is the first time I have been deliving into VPNs this deeply, here are a couple of questions.

1) how to limit traffic from a remote VPN using point to point VPN?
2) what is the difference between crypto map and crypto dynamic-map?
3) how to limit traffic from the master to the remote vpn?

Thanks in advance.
LVL 1
ort11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ort11Author Commented:
Ok, in the asdm, it is the filter option on the group policy.  Seems to work fine, except that for outgoing sessions, if there is not an acl allowing for incoming from the remote, it seems not to allow traffic back from master to remote, like ESTABLISHED is not working (which I thought was the default for PIX ACLs)?  

Is this the case for PIX and VPNs?  Here are the acls so far...

1 access-list Store-VPN-ACL extended permit icmp 172.17.32.0 255.255.255.0 192.168.0.0 255.255.0.0
2 access-list Store-VPN-ACL extended permit icmp 192.168.0.0 255.255.0.0 172.17.32.0 255.255.224.0
3 access-list Store-VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 host 172.17.32.33
4 access-list Store-VPN-ACL extended permit ip 172.17.32.0 255.255.224.0 192.168.0.0 255.255.0.0

Please note the 3rd ACL.  Even though ACL 4 is in place, traffic from 172.17.32.0 does not get back from 192.168.100.x unless it is done from .33?

Any help would be apprecaited on this one.
0
ort11Author Commented:
Ok, answering my own question, in the VPN filter in the GUI, you will have to specify the outgoing destination ports and the incomming source ports.  That did the trick.  Moderator, you can close the call.
0
EE_AutoDeleterCommented:
ort11,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.