How-to restrict traffic exiting VPN tunnel to certain hosts / ports ??

Grettings. My Cisco CLI is a bit rusty, so any help would be appreciated.

We have an IPSEC tunnel terminating on our PIX whereby a third party gains access to a certain resource on our LAN. Which is well and good and traffic flows fine. However, (I have not verified this empirically) it seems that anything coming across the VPN tunnel destined to our network is able to access every resource for which a route exits... this I absolutely do not want. I wish this were simple as I want to apply an ACL to restrict the traffic entering our network via the tunnel to just one host/port. From trial and error and by what I have been reading... this seems impossible. I find that hard to believe given how capable the PIX is...

Is this in fact possible to do with an ACL and if so, how?



Reply to
Loading thread data ...

I would imagine that you can create inbound and or outbound access-lists and apply them to the inside interface of the device.

Check access-list command to cerate access list and access-group to apply it to the interface.

access-list acl_out permit tcp any host eq ftp access-list acl_out deny any any

access-group acl_out out interface interface_name

Reply to

This could be done, but you will need to create an access-list for each of the inside and DMZ interfaces you want to limit traffic to. The solution I prefer is to remove the "sysopt permit ipsec" command, so you are forcing PIX to match inbound IPSec packets against the outside interface access-list. Then you can simply add rules to the outside ACL to restrict traffic.

Reply to

See, I was thinking about applying an ACL the egress traffic on the inside interface, this approach mentioned by both yourself and Chino. But the this whole `sysopt permit ipsec` thing has me wondering. See, I don't have that line present in my config. I would rather apply the ACL to the outside interface so I will look at doing that. The part I am getting confused is I have some ACL's that have that are "matched" to a certain tunnel... such as: ! crypto map Reservations 11 ipsec-isakmp description Tunnel toNoWhere set peer set transform-set ESP-3DES-SHA1 match address 106 ! I'm not sure what role this "match address" business plays, is that like "access-group"'ing an ACL to an interface?

Thanks for the tips though, makes sense!!!


Reply to

ponga schrieb:

access-list 106 describes the traffic to be encrypted through the crypto map.

If you want to restrict traffic after or before encrytion via crypto map refer to

Perhaps better want a logical tunnel interface using ipsec profiles and tunnel protection. The config is more straightforward and also support routing protocols.

Reply to
Uli Link

Got it!! That's the part I was missing. I was not sure what the meaning of that "match address" line was doing. Now I understand. Also, without the "sysopt permit ipsec" line, I *GUESS* that I am now able to apply rules to the ACL that is applied to the outside interface and therefore filter with that ACL. I'm guessing that's how that works. I've added rules to that that ACL, but I am not seeing any counts for the rules I have added, though traffic is still flowing. Perhaps clear the crypto sa's... don't know. But I think I have a handle on it now.

Thanks to EVERYONE that replied!!


Reply to
ponga Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.