Hi Firewallers,
I am facing a problem, in configuring port selective
access-list in the PIX Firewall (PIX 520 Version 5.3(1) ) used in the central
hub location in a hub and spoke terminology for terminating IPSec VPN Tunnels.
All the spoke locations are using Cisco 1750 routers configured to terminate
IPSec Tunnels towards the PIX Firewall.
While applying the access-list in the crypto map match address option the PIX
Firewall gives a warning message as shown below.
PIX-Firewall(config)# crypto map internal 10 match address 111
WARNING: access-list has port selectors may have performance impact
PIX-Firewall# sh access-list 111
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq ftp
(hitcnt=0)
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq
ftp-data (hitcnt=0)
access-list 111 permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.100 eq www
(hitcnt=0)
PIX-Firewall#
When I use such an access-list I am finding problem of inconsistent data
transfer. The FTP session hangs more often while we start uploading a file.
This kind of an access-list is a must to have internal security between the
spoke and cenntral hub location.
Ofcourse, applying the same kind of an access-list at the router end (spoke
location having a router) can have some kind of restriction but not as good as
doing it at the Firewall itself.
Anyone came accross this kind of an issue. ? Is it possible to have this kind of
a config.?
Waiting for your possitive response
Thanks in advance
Warm regards
Ashraf
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
