?
Solved

PIX to PIX point to point VPN lockdown / limit traffic

Posted on 2006-04-27
3
Medium Priority
?
168 Views
Last Modified: 2013-11-16
Hi:  have two Pix with point to point VPN working fine.  On the "master" pix, would like to limit the access from/to the remote pix.  Here are some of the network layouts.

remote pix internal Net:   192.168.100.0 255.255.255.192
master pix internal net:   172.17.32.0   255.255.224.0

Now, here are the crypto setups
-------------------------------

crypto map 0-Outside_map 299 match address 0-Outside_cryptomap_Store299
crypto map 0-Outside_map 299 set peer 11.22.33.44

crypto dynamic-map 0-Outside_dyn_map 299 match address 0-Outside_cryptomap_dyn_Store299

access-list 0-Outside_cryptomap_Store299 extended permit ip 172.17.32.0 255.255.224.0 192.168.100.0 255.255.255.192

access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip 172.17.32.0 255.255.224.0 172.17.48.0 255.255.255.0
access-list 0-Outside_cryptomap_dyn_Store299 extended permit ip 192.168.0.0 255.255.0.0 172.17.48.0 255.255.255.0

-------------------------------

So I then tried to lock down the traffic by using ACLs on the outside interface of the master.

access-list 0-Outside_access_in remark Store to testhost only test
access-list 0-Outside_access_in extended permit ip 192.168.0.0 255.255.0.0 host testhost

----------------------------------

But, the traffic is still going from the remote to the entire 172.17

Since this is the first time I have been deliving into VPNs this deeply, here are a couple of questions.

1) how to limit traffic from a remote VPN using point to point VPN?
2) what is the difference between crypto map and crypto dynamic-map?
3) how to limit traffic from the master to the remote vpn?

Thanks in advance.
0
Comment
Question by:ort11
  • 2
3 Comments
 
LVL 1

Author Comment

by:ort11
ID: 16557041
Ok, in the asdm, it is the filter option on the group policy.  Seems to work fine, except that for outgoing sessions, if there is not an acl allowing for incoming from the remote, it seems not to allow traffic back from master to remote, like ESTABLISHED is not working (which I thought was the default for PIX ACLs)?  

Is this the case for PIX and VPNs?  Here are the acls so far...

1 access-list Store-VPN-ACL extended permit icmp 172.17.32.0 255.255.255.0 192.168.0.0 255.255.0.0
2 access-list Store-VPN-ACL extended permit icmp 192.168.0.0 255.255.0.0 172.17.32.0 255.255.224.0
3 access-list Store-VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 host 172.17.32.33
4 access-list Store-VPN-ACL extended permit ip 172.17.32.0 255.255.224.0 192.168.0.0 255.255.0.0

Please note the 3rd ACL.  Even though ACL 4 is in place, traffic from 172.17.32.0 does not get back from 192.168.100.x unless it is done from .33?

Any help would be apprecaited on this one.
0
 
LVL 1

Author Comment

by:ort11
ID: 16602684
Ok, answering my own question, in the VPN filter in the GUI, you will have to specify the outgoing destination ports and the incomming source ports.  That did the trick.  Moderator, you can close the call.
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 16728714
ort11,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question