Cisco PIX VPN access-lists
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Lone on June 16, 2008, 1:18 pm
Please log in for more thread options IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running PIX version 7.1(2) and I have sysopt connection permit-vpn enabled, which, from what I understand would then force access-list restrictions to be determined by the VPN group-policy and the access- list specified by the vpn-filter value setting. Currently, I am able to set traffic restrictions for the tunnel on the SSG, but I would prefer to be able to do this on the PIX. If I remove the traffic restrictions set on the SSG, then I have unfiltered access to the hosts on the PIX side of the tunnel. This is the case whether or not I have an access-list specified for the vpn-filter value setting. Is there something else simple that I'm missing? Thanks, Lone | ||||||||||||||||
|
Posted by Walter Roberson on June 16, 2008, 1:32 pm
Please log in for more thread options I haven't used PIX 7 (but used PIX 6 extensively), so I am not familiar with VPN group policies or vpn-filter. In PIX 6, specifying sysopt connection permit-vpn would indicate that packets coming in over the VPN were exempt from all access-list restrictions. (Though whether the packet was allowed to cross the VPN at all would be determined by the crypto map access-list .) | ||||||||||||||||
|
Posted by Lone on June 16, 2008, 2:58 pm
Please log in for more thread options On Jun 16, 10:32 am, rober...@hushmail.com (Walter Roberson) wrote:
>
> >I am having difficulty configuring the VPN access-lists on LAN to LAN
> >IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running > >PIX version 7.1(2) and I have sysopt connection permit-vpn enabled, > >which, from what I understand would then force access-list > >restrictions to be determined by the VPN group-policy and the access- > >list specified by the vpn-filter value setting. >
> I haven't used PIX 7 (but used PIX 6 extensively), so I am > not familiar with VPN group policies or vpn-filter. > > In PIX 6, specifying sysopt connection permit-vpn > would indicate that packets coming in over the VPN were exempt > from all access-list restrictions. (Though whether the packet > was allowed to cross the VPN at all would be determined by the > crypto map access-list .) Can you specify host and port access lists using that crypto map match address command? Unfortunately, since this is a PIX to SSG tunnel, I don't believe I can add additional entries to this access list because the entries in this list need to match the entry on the SSG side. Unfortunately, I can only designate a subnet on the SSG side. If I were to change this, I'm fairly sure that the tunnel will not build. | ||||||||||||||||
|
Posted by Lone on June 16, 2008, 3:14 pm
Please log in for more thread options > On Jun 16, 10:32 am, rober...@hushmail.com (Walter Roberson) wrote:
> > > > > In article
>
> > >I am having difficulty configuring the VPN access-lists on LAN to LAN
> > >IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running > > >PIX version 7.1(2) and I have sysopt connection permit-vpn enabled, > > >which, from what I understand would then force access-list > > >restrictions to be determined by the VPN group-policy and the access- > > >list specified by the vpn-filter value setting. >
> > I haven't used PIX 7 (but used PIX 6 extensively), so I am
> > not familiar with VPN group policies or vpn-filter. >
> > In PIX 6, specifying sysopt connection permit-vpn
> > would indicate that packets coming in over the VPN were exempt > > from all access-list restrictions. (Though whether the packet > > was allowed to cross the VPN at all would be determined by the > > crypto map access-list .) >
> Can you specify host and port access lists using that crypto map match > address command? Unfortunately, since this is a PIX to SSG tunnel, I > don't believe I can add additional entries to this access list because > the entries in this list need to match the entry on the SSG side. > Unfortunately, I can only designate a subnet on the SSG side. If I > were to change this, I'm fairly sure that the tunnel will not build. I've been working off of the information provided by this site: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml It's describing everything that I want to do. I can also successfully use the vpn-filter command on the Remote Access connections that I've created on the same PIX. It's just the L2L tunnel that I'm having trouble with. | ||||||||||||||||
|
Posted by jcle on June 18, 2008, 8:35 am
Please log in for more thread options sounds like maybe there acls may not be right I always built three
acls for this one to nonat, one to phase two, and one to the group policy vpn filter. the first two for nonat and phase two are typical access-list 101 permit ip (local net) (remote net) the filter is a little tricky you reverse the logic access-list 102 permit tcp (remote net) (local net) you then allow access by adding eq protocol number following the network you want to allow access to for example if I wanted to allow a host behind the juniper to access a webserver behind te asa you would do this 192.168.1.2 = juniper host 192.168.2.2 = cisco host access-list 102 permit tcp host 192.168.1.2 host 192.168.2.2 eq www you the have to renegiote phase 1 any time you make a change to the group policy acl by running the cl isakmp sa Lone wrote: > > On Jun 16, 10:32 am, rober...@hushmail.com (Walter Roberson) wrote:
> > > > > > > > > In article
> >
> > > >I am having difficulty configuring the VPN access-lists on LAN to LAN
> > > >IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running > > > >PIX version 7.1(2) and I have sysopt connection permit-vpn enabled, > > > >which, from what I understand would then force access-list > > > >restrictions to be determined by the VPN group-policy and the access- > > > >list specified by the vpn-filter value setting. > >
> > > I haven't used PIX 7 (but used PIX 6 extensively), so I am
> > > not familiar with VPN group policies or vpn-filter. > >
> > > In PIX 6, specifying sysopt connection permit-vpn
> > > would indicate that packets coming in over the VPN were exempt > > > from all access-list restrictions. (Though whether the packet > > > was allowed to cross the VPN at all would be determined by the > > > crypto map access-list .) > >
> > Can you specify host and port access lists using that crypto map match > > address command? Unfortunately, since this is a PIX to SSG tunnel, I > > don't believe I can add additional entries to this access list because > > the entries in this list need to match the entry on the SSG side. > > Unfortunately, I can only designate a subnet on the SSG side. If I > > were to change this, I'm fairly sure that the tunnel will not build. >
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
> I've been working off of the information provided by this site: > > >
> It's describing everything that I want to do. I can also successfully > use the vpn-filter command on the Remote Access connections that I've > created on the same PIX. It's just the L2L tunnel that I'm having > trouble with. | ||||||||||||||||
>IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running
>PIX version 7.1(2) and I have sysopt connection permit-vpn enabled,
>which, from what I understand would then force access-list
>restrictions to be determined by the VPN group-policy and the access-
>list specified by the vpn-filter value setting.