[c-nsp] Restricting vpn client access on 506e
Kristofer Sigurdsson
ks at rhi.hi.is
Tue May 31 12:29:25 EDT 2005
Hi,
Comments inline.
On Tue, 2005-05-31 at 12:04 -0400, Serguei Bezverkhi wrote:
> Hi,
>
> You need to disable explicit permit of IPSec traffic by using:
>
> No sysopt connection permit-ipsec
>
> Then you need to add permit for IPSec traffic which you want to allow to
> your outside access list.
I don't think this would work, as the firewall cannot distinguish
between types of traffic encapsulated in an IPSEC tunnel.
>
> HTH
>
> Serguei
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Beltrame
> Sent: Tuesday, May 31, 2005 11:55 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Restricting vpn client access on 506e
>
> What is the best way to restrict traffic for clients who are VPN'ing
> to the server using the cisco vpn client. I want to be able to
> restrict them to tcp 3389 only. I try to add that to the spit tunnel
> acl, but no luck. Any ideas would be great :)
You could try access lists on the VPN server. Assuming your PIX 506e is
the VPN server, you could use egress access lists on it's inside
interface to control access from the IP addresses you use for VPN
connections.
--
Kristófer Sigurðsson | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfr./Network specialist | Reiknistofnun HÍ/University of Iceland
More information about the cisco-nsp
mailing list