Problem in using a port selective access-list for the IPsec VPN traffic in PIX 520

[Asra...@satyam-infoway.com]

Hi Firewallers,
I am facing a problem, in configuring port selective
access-list in the PIX Firewall (PIX 520 Version 5.3(1) ) used in the central
hub location in a hub and spoke terminology for terminating IPSec VPN Tunnels.
All the spoke locations are using Cisco 1750 routers configured to terminate
IPSec Tunnels towards the PIX Firewall.

While applying the access-list in the crypto map match address option the PIX
Firewall gives a warning message as shown below.

PIX-Firewall(config)# crypto map internal 10 match address 111
WARNING: access-list has port selectors may have performance impact
PIX-Firewall# sh access-list 111
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq ftp
(hitcnt=0)
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq
ftp-data (hitcnt=0)
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq www
(hitcnt=0)
PIX-Firewall#

When I use such an access-list I am finding problem of inconsistent data
transfer. The FTP session hangs more often while we start uploading a file.

This kind of an access-list is a must to have internal security between the
spoke and cenntral hub location.

Ofcourse, applying the same kind of an access-list at the router end (spoke
location having a router) can have some kind of restriction but not as good as
doing it at the Firewall itself.

Anyone came accross this kind of an issue. ? Is it possible to have this kind of
a config.?

Waiting for your possitive response

Thanks in advance

Warm regards
Ashraf

_______________________________________________
Firewalls mailing list
Fire...@lists.gnac.net
http://lists.gnac.net/mailman/listinfo/firewalls

[Ben Nagy]

G'day,

Well, it _was_ nice enough to tell you that using port selectors in your
crypto ACLs could have a performance impact...

I'm not sure exactly what you want to achieve, but I would suggest that
you remove those port matches in your crypto ACL, for a start. I'm also
a little worried about your ACL syntax - if the firewall is 172.16.1.100
then the ACLs look the wrong way around, but without looking at the
complete config I can't say for certain.

If you want to restrict the things that the "spoke" sites can access,
then you can either add individual ACLs on the 1750 routers (separate
from the crypto ACLs - just apply them on an interface) or you can deal
with it on the PIX as a separate ACL. If you have used the sysopt
command to implicitly permit all VPN traffic then doing it on the
firewall may be harder; I can't remember, offhand, if the incoming
traffic is still visible to the PIX outside interface when the "sysopt
permit-ipsec" command is used. If it is, you can just filter the traffic
there. At worst, you should be able to filter it outbound on the
internal interface(s), which will have the same effect, but isn't quite
as clean.

Good luck.

--
Ben Nagy
Network Security Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304

[...]

[Asra...@satyam-infoway.com]

Many Thanx for the response.

The Main objective of doing this is to restrict access to the hosts in the
Central hub LAN for some specific ports. This is basically to have internal
security.

The problem which I am facing in the data transfer is general and not specific
to my configuration in the Firewall. This problem occurs when we use a port
selective access-list for the IPSec traffic.

Since I am using sysopt ipsec-permit command I am not able to filter any traffic
at the Firewall.

I see this as a general issue in configuring IPSec tunnel between PIX and a
Firewall with port filtering access-lists.

Hope I have made it clear.

Best regards
Ashraf

"Ben Nagy" <b...@iagu.net> on 10/30/2001 07:58:21 AM

To: Asraf Ali/Satyam@Satyam, fire...@lists.gnac.net
cc:

Subject: RE: Problem in using a port selective access-list for the IPsec VPN
traffic in PIX 520