Avatar of ed_reyes
 asked on

Cisco PIX Filtering VPN Traffic v7.2.1

Hi ee community.

Until just recently, we've always had trusted VPN connections which allowed us to use the 'sysopt connection ipsec-permit' command.  With an introduction of a 3rd party VPN, we now need to filter the VPN traffic.

I've attempted to use the 'vpn-filter value acl_name' under group-policies with the following sample config.
(all the crypto and isakmp config work, so it's not included)

access-list acl_name extended permit tcp internal_net remote_vpn_net eq ftp
access-list acl_name extended deny ip any any

group-policy untrusted_vpn attributed
     vpn-filter value acl_name

tunnel-group ip.address.of.remote attributes
     default-group-policy untrusted_vpn

The above didn't work.

Now I understand that I can apply access-lists or modify current access-lists to that can accomplish what 'acl_name' attempted above.  I don't want to go around on our production PIX and start applying access-lists on interfaces attempting to figure out which interface to apply it on.  I guess my question is, if a VPN tunnel is terminated on my outside interface, where do I apply the access-lists?

Examples always help me, so use as my internal network and as the remote VPN network.  The only traffic I want to allow is accessing an FTP server ( on the remote network.  I don't want the remote network to have any access and only want FTP traffic from internal hosts.  

I understand sftp would be a lot simpler, but there more to it than FTP.  

Thanks in advance.  Please let me know if I missed anything.
Software Firewalls

Avatar of undefined
Last Comment
Les Moore

8/22/2022 - Mon
Les Moore

I would just use the crypto map match address acl to restrict traffic..

access-list outside_20_cryptomap permit tcp host eq ftp
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer

I don't thnk that nat0 acl can be port specific, but the crypto map acl will restrict traffic.
The remote end will have to do a mirror-image acl.

Else, use an outbound acl applied to the inside interface:

 access-list restrict_outbound permit tcp host eq ftp
 access-list restrict_outbound deny ip
 access-list restrict_outbound permit ip any any
 access-group restrict_outbound in interface outside

You might  have to permit ftp-data also....


I guess I could go back to a more restricted access-list defining only the interesting traffic as needed and continue to build that list as more services are required, I was trying to avoid requiring work on both ends since those access-lists should match on both ends.

Regarding the latter option, you mention using an outbound acl on the inside interface, but your example applies it the outside interface.  Shouldn't command be:
'access-group restric_outbound out interface inside'?

Les Moore

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes