1. Home
  2. Cisco Systems
  3. Cisco PIX VPN access-lists

Cisco PIX VPN access-lists

I am having difficulty configuring the VPN access-lists on LAN to LAN IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running PIX version 7.1(2) and I have sysopt connection permit-vpn enabled, which, from what I understand would then force access-list restrictions to be determined by the VPN group-policy and the access- list specified by the vpn-filter value setting. Currently, I am able to set traffic restrictions for the tunnel on the SSG, but I would prefer to be able to do this on the PIX. If I remove the traffic restrictions set on the SSG, then I have unfiltered access to the hosts on the PIX side of the tunnel. This is the case whether or not I have an access-list specified for the vpn-filter value setting. Is there something else simple that I'm missing?

Thanks, Lone

Reply to
Lone
Loading thread data ...

I haven't used PIX 7 (but used PIX 6 extensively), so I am not familiar with VPN group policies or vpn-filter.

In PIX 6, specifying sysopt connection permit-vpn would indicate that packets coming in over the VPN were exempt from all access-list restrictions. (Though whether the packet was allowed to cross the VPN at all would be determined by the crypto map access-list .)

Reply to
Walter Roberson

Can you specify host and port access lists using that crypto map match address command? Unfortunately, since this is a PIX to SSG tunnel, I don't believe I can add additional entries to this access list because the entries in this list need to match the entry on the SSG side. Unfortunately, I can only designate a subnet on the SSG side. If I were to change this, I'm fairly sure that the tunnel will not build.

Reply to
Lone

,

I've been working off of the information provided by this site:

formatting link
It's describing everything that I want to do. I can also successfully use the vpn-filter command on the Remote Access connections that I've created on the same PIX. It's just the L2L tunnel that I'm having trouble with.

Reply to
Lone

sounds like maybe there acls may not be right I always built three acls for this one to nonat, one to phase two, and one to the group policy vpn filter. the first two for nonat and phase two are typical access-list 101 permit ip (local net) (remote net) the filter is a little tricky you reverse the logic access-list 102 permit tcp (remote net) (local net) you then allow access by adding eq protocol number following the network you want to allow access to for example if I wanted to allow a host behind the juniper to access a webserver behind te asa you would do this 192.168.1.2 = juniper host 192.168.2.2 = cisco host

access-list 102 permit tcp host 192.168.1.2 host 192.168.2.2 eq www

you the have to renegiote phase 1 any time you make a change to the group policy acl by running the cl isakmp sa

L> > On Jun 16, 10:32 am, snipped-for-privacy@hushmail.com (Walter Roberson) wrote: > >

,

formatting link

Reply to
jcle

Ah. That's one thing I haven't tried yet. When I set the group policy it was against an already existing tunnel that I didn't break for the renegotiation to happen. I'll give it a shot. Thanks.

Reply to
Lone

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.