PIX Firewall 6.3: Site-to-Site VPN

When configuring site-to-site or remote access VPN with Cisco PIX firewall version 6.3, we normally see the access-list in the form below:
access-list 101 permit ip

Can I put it this way?
access-list 101 permit tcp host eq 3389

Actually I want to limit the access between two ends to some ports, instead of opening all. Is this the correct way for this purpose?
Who is Participating?
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
It is possible to configure an access-list with tcp/udp-ports and use that for ipsec-vpn, you will get no error messages. But it is not supported by ipsec in ANY version of pix/asa.

VPN-filter or interface-acl:s are the recommended solutions if you wanna filter vpn-traffic more granular than by ip-addresses.

Best regards Kvistofta
Yes, you can narrow the access list to specific ports.

The access lists have to match conversely on each end though, so you will need to change the access list on the other end to:

access-list 101 permit eq 3389 host
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
I beg to differ. There is no support in ipsec for port-filtering within the proxy acl and my experience is that it doesnt work very well.

Better is to define proxy acl with "ip" and add port-filtering either by interface-acl or vpn-filter.

Best regards
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

asavenerConnect With a Mentor Commented:
PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

I beg your pardon, you are correct that the VPN must be configured based on IP.  Later versions of the PIX/ASA OS can filter the VPN based on ports.
hoggieeAuthor Commented:
How about for PIX version 6.3?
hoggieeAuthor Commented:
I mean what would be the right way to filter IPSec traffic in PIX version 6.3.
For 6.3 I think the only way is to create an IP-based VPN, and then use access control lists applied to the interface to filter the traffic.
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
That is correct. For such an old version the only way is to filter traffic from inside-network.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.