• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

PIX Firewall 6.3: Site-to-Site VPN

When configuring site-to-site or remote access VPN with Cisco PIX firewall version 6.3, we normally see the access-list in the form below:
access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

Can I put it this way?
access-list 101 permit tcp host 1.1.1.1 2.2.2.0 255.255.255.0 eq 3389

Actually I want to limit the access between two ends to some ports, instead of opening all. Is this the correct way for this purpose?
0
hoggiee
Asked:
hoggiee
  • 3
  • 3
  • 2
3 Solutions
 
asavenerCommented:
Yes, you can narrow the access list to specific ports.

The access lists have to match conversely on each end though, so you will need to change the access list on the other end to:

access-list 101 permit 2.2.2.0 255.255.255.0 eq 3389 host 1.1.1.1
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
I beg to differ. There is no support in ipsec for port-filtering within the proxy acl and my experience is that it doesnt work very well.

Better is to define proxy acl with "ip" and add port-filtering either by interface-acl or vpn-filter.

Best regards
Kvistofta
0
 
asavenerCommented:
PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

I beg your pardon, you are correct that the VPN must be configured based on IP.  Later versions of the PIX/ASA OS can filter the VPN based on ports.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
hoggieeAuthor Commented:
How about for PIX version 6.3?
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
It is possible to configure an access-list with tcp/udp-ports and use that for ipsec-vpn, you will get no error messages. But it is not supported by ipsec in ANY version of pix/asa.

VPN-filter or interface-acl:s are the recommended solutions if you wanna filter vpn-traffic more granular than by ip-addresses.

Best regards Kvistofta
0
 
hoggieeAuthor Commented:
I mean what would be the right way to filter IPSec traffic in PIX version 6.3.
0
 
asavenerCommented:
For 6.3 I think the only way is to create an IP-based VPN, and then use access control lists applied to the interface to filter the traffic.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
That is correct. For such an old version the only way is to filter traffic from inside-network.

/Kvistofta
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now