PIX to PIX point to point VPN lockdown / limit traffic

Posted on 2006-04-27
Last Modified: 2013-11-16
Hi:  have two Pix with point to point VPN working fine.  On the "master" pix, would like to limit the access from/to the remote pix.  Here are some of the network layouts.

remote pix internal Net:
master pix internal net:

Now, here are the crypto setups

crypto map 0-Outside_map 299 match address 0-Outside_cryptomap_Store299
crypto map 0-Outside_map 299 set peer

crypto dynamic-map 0-Outside_dyn_map 299 match address 0-Outside_cryptomap_dyn_Store299

access-list 0-Outside_cryptomap_Store299 extended permit ip

access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip
access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip


So I then tried to lock down the traffic by using ACLs on the outside interface of the master.

access-list 0-Outside_access_in remark Store to testhost only test
access-list 0-Outside_access_in extended permit ip host testhost


But, the traffic is still going from the remote to the entire 172.17

Since this is the first time I have been deliving into VPNs this deeply, here are a couple of questions.

1) how to limit traffic from a remote VPN using point to point VPN?
2) what is the difference between crypto map and crypto dynamic-map?
3) how to limit traffic from the master to the remote vpn?

Thanks in advance.
Question by:ort11
    LVL 1

    Author Comment

    Ok, in the asdm, it is the filter option on the group policy.  Seems to work fine, except that for outgoing sessions, if there is not an acl allowing for incoming from the remote, it seems not to allow traffic back from master to remote, like ESTABLISHED is not working (which I thought was the default for PIX ACLs)?  

    Is this the case for PIX and VPNs?  Here are the acls so far...

    1 access-list Store-VPN-ACL extended permit icmp
    2 access-list Store-VPN-ACL extended permit icmp
    3 access-list Store-VPN-ACL extended permit ip host
    4 access-list Store-VPN-ACL extended permit ip

    Please note the 3rd ACL.  Even though ACL 4 is in place, traffic from does not get back from 192.168.100.x unless it is done from .33?

    Any help would be apprecaited on this one.
    LVL 1

    Author Comment

    Ok, answering my own question, in the VPN filter in the GUI, you will have to specify the outgoing destination ports and the incomming source ports.  That did the trick.  Moderator, you can close the call.

    Accepted Solution

    Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now