IPSec Site-to-Site
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
in CCNP
I'm creating a site-to-site ipsec tunnel. I defined my ACL using port designations to restrict traffic to specific services. When I applied the ACL to the crypto map I received a warning that I may experience performance problem since I used port designations in my ACL. Has any ever experienced performance issues in doing this? How much latency/processor are we talking about?? This device is an ASA 5510.
Comments
-
redwarrior Member Posts: 285I'm not sure why you would want to specify specific ports in a cryptomap ACL. Why not just specify the interesting traffic (networks, etc.) and then use a separate ACL to restrict what is allowed to cross the tunnel? Are you trying to set up a split-tunnel VPN and send some types of traffic out to the internet while others go through the VPN? If that's the case, I would think that any traffic heading from a remote site back to a protected network should be tunneled regardless of protocol?
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
mikearama Member Posts: 749+1 to red
Actually, when I first read your post, ct, I thought "why not put ports in the acl". That way you could define the interesting traffic via the ranges defined, AND at the same time narrow down what protocols/applications can be used between the ranges.
But I checked our 5550 and 5540 acl's, and sure enough none have ports included... only ranges.
Did a little digging and found this cisco doc:
Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions - Cisco Systems
Scroll down to the Verify that ACLs are Correct section, and note the NOTE: Incorrect Example given... and how they highlighted the "eq 25". Go figure... they consider adding the port to be incorrect.
Interesting.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□redwarrior wrote: »I'm not sure why you would want to specify specific ports in a cryptomap ACL. Why not just specify the interesting traffic (networks, etc.) and then use a separate ACL to restrict what is allowed to cross the tunnel? Are you trying to set up a split-tunnel VPN and send some types of traffic out to the internet while others go through the VPN? If that's the case, I would think that any traffic heading from a remote site back to a protected network should be tunneled regardless of protocol?
Perhaps my terminology is wrong. I thought the crytomap ACL is what specified the interesting traffic..that is allowed to cross the tunnel..
No split tunneling, I just need to allow another organization access to certain services on a few servers inside the network and I didn't want to allow anything else...
This is a fresh firewall. None of the site-to-sites had ports specified in them before, nor has there ever been a separate ACL to deny any traffic coming across the tunnel, I just wanted to take the opportunity to lock things down further without scheduling late night implementations and specifying only the services necessary seemed like the easiest way to do that, UNTIL i got smacked with the big WARNING!!! message... -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□+1 to red
Actually, when I first read your post, ct, I thought "why not put ports in the acl". That way you could define the interesting traffic via the ranges defined, AND at the same time narrow down what protocols/applications can be used between the ranges.
But I checked our 5550 and 5540 acl's, and sure enough none have ports included... only ranges.
Did a little digging and found this cisco doc:
Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions - Cisco Systems
Scroll down to the Verify that ACLs are Correct section, and note the NOTE: Incorrect Example given... and how they highlighted the "eq 25". Go figure... they consider adding the port to be incorrect.
Interesting.
Nice, I didn't know the no-nat rule actually wouldn't work if you used port designations. I didn't attempt the ports on the no-nat rule, which now that I think about it, it doesn't make a ton of sense to do the nat rule one way and the cryptomap another...I think you two got me headed down the right path now.