Link to home
Start Free TrialLog in
Avatar of ed_reyes

asked on

Cisco PIX Filtering VPN Traffic v7.2.1

Hi ee community.

Until just recently, we've always had trusted VPN connections which allowed us to use the 'sysopt connection ipsec-permit' command.  With an introduction of a 3rd party VPN, we now need to filter the VPN traffic.

I've attempted to use the 'vpn-filter value acl_name' under group-policies with the following sample config.
(all the crypto and isakmp config work, so it's not included)

access-list acl_name extended permit tcp internal_net remote_vpn_net eq ftp
access-list acl_name extended deny ip any any

group-policy untrusted_vpn attributed
     vpn-filter value acl_name

tunnel-group ip.address.of.remote attributes
     default-group-policy untrusted_vpn

The above didn't work.

Now I understand that I can apply access-lists or modify current access-lists to that can accomplish what 'acl_name' attempted above.  I don't want to go around on our production PIX and start applying access-lists on interfaces attempting to figure out which interface to apply it on.  I guess my question is, if a VPN tunnel is terminated on my outside interface, where do I apply the access-lists?

Examples always help me, so use as my internal network and as the remote VPN network.  The only traffic I want to allow is accessing an FTP server ( on the remote network.  I don't want the remote network to have any access and only want FTP traffic from internal hosts.  

I understand sftp would be a lot simpler, but there more to it than FTP.  

Thanks in advance.  Please let me know if I missed anything.
Avatar of Les Moore
Les Moore
Flag of United States of America image

I would just use the crypto map match address acl to restrict traffic..

access-list outside_20_cryptomap permit tcp host eq ftp
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer

I don't thnk that nat0 acl can be port specific, but the crypto map acl will restrict traffic.
The remote end will have to do a mirror-image acl.

Else, use an outbound acl applied to the inside interface:

 access-list restrict_outbound permit tcp host eq ftp
 access-list restrict_outbound deny ip
 access-list restrict_outbound permit ip any any
 access-group restrict_outbound in interface outside

You might  have to permit ftp-data also....

Avatar of ed_reyes


I guess I could go back to a more restricted access-list defining only the interesting traffic as needed and continue to build that list as more services are required, I was trying to avoid requiring work on both ends since those access-lists should match on both ends.

Regarding the latter option, you mention using an outbound acl on the inside interface, but your example applies it the outside interface.  Shouldn't command be:
'access-group restric_outbound out interface inside'?

Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial