I'm trying to set up a site-to-site (actually a host-to-host) vpn between a pix 515 and a watchguard firebox vclass v60. I'm able to set up the vpn connection but my problem is I only want to pass traffic on port 80 back and forth through the tunnel. Everything else i wanna drop. in the match address acl i have replaced "access-list acl_vpn permit ip host host" with "access-list acl_vpn permit tcp host host eq 80" It spits out a warning about performance but I am able to bring up the tunnel when I initiate the connection on the pix side. When I try to initiate an http connection on the watchguard side the traffic is encrypted, passed through the tunnel and hits the outside interface of the pix. Then the traffic is dropped. I am not using sysopt connection permit-ipsec because I want traffic coming out of the tunnel to hit the acl bound to the outside interface, specifically "access-list acl_in permit tcp host host eq 80" I know its not recommended to use port selectors on a match address acl but am I supposed to control what I want to pass through the tunnel?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX VPN to Watchguard Firebox
- Thread starter mgrazzi
- Start date
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question