In article < XXXX@XXXXX.COM >,
:In article < XXXX@XXXXX.COM >,
: XXXX@XXXXX.COM says...
:> My question is then : on my router, can I restrict some ports (such as
:> telnet or ftp) to vpn only allowed connections, and other ports would
:> be routed normally (ie not encrypted)?
:Yes, when you specify "interesting traffic" for VPN, permit just telnet
:port, and deny others.
That's not supported on the PIX; I don't know if any IOS release supports
it. It is something that is allowed under the IPSec protocols, but marked
as being optional to support.
:> not want to encrypt all the connections to this box, since this box
:> has to "talk" with other equipments on the network (specific protocols
:> and specific ports, no telnet-like apps involved here).
If you can nail down an IP address source range from the manufacturer,
then have your crypto map ACL only match on that range; anything not
going between those defined endpoints wouldn't be protected.
If you can't nail down an IP address source range from the manufacturer,
you could perhaps use the Easy VPN feature. With Easy VPN, the
remote host is normally allocated an IP address dynamically, and you
set up your ACLs so that the pool you choose is all that is allowed
telnet access to the target device. The router (or PIX if you were
using PIX) would create a dynamic SA mapping the real source IP to
the dynamic IP, and because that's the only use of that dynamic IP,
no other traffic to any other host is going to be matched by the SA
and so nothing will need protected. The Cisco VPN Client uses Easy VPN.
I would, though, not suggest using PPTP instead of Easy VPN: PPTP
does have the same behaviour with respect to dynamic IPs, but with
PPTP you cannot do a split-access ACL -- which has implications about
DNS, about ability to access files on their own local network,
ability to access WWW sites to check out documentation, and so on.
Preposterous!! Where would all the calculators go?!