[c-nsp] Restricting vpn client access on 506e

Serguei Bezverkhi sbezverkhi at hotmail.com
Tue May 31 12:37:47 EDT 2005


That is how I implemented, and it was working.

Serguei
-----Original Message-----
From: Kristofer Sigurdsson [mailto:ks at rhi.hi.is] 
Sent: Tuesday, May 31, 2005 12:29 PM
To: Serguei Bezverkhi
Cc: 'Jason Beltrame'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Restricting vpn client access on 506e

Hi,

Comments inline.

On Tue, 2005-05-31 at 12:04 -0400, Serguei Bezverkhi wrote:
> Hi,
> 
> You need to disable explicit permit of IPSec traffic by using:
> 
> No sysopt connection permit-ipsec
> 
> Then you need to add permit for IPSec traffic which you want to allow to
> your outside access list.

I don't think this would work, as the firewall cannot distinguish 
between types of traffic encapsulated in an IPSEC tunnel.

> 
> HTH 
> 
> Serguei
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Beltrame
> Sent: Tuesday, May 31, 2005 11:55 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Restricting vpn client access on 506e
> 
> What is the best way to restrict traffic for clients who are VPN'ing
> to the server using the cisco vpn client.  I want to be able to
> restrict them to tcp 3389 only.  I try to add that to the spit tunnel
> acl, but no luck.  Any ideas would be great :)

You could try access lists on the VPN server.  Assuming your PIX 506e is
the VPN server, you could use egress access lists on it's inside 
interface to control access from the IP addresses you use for VPN 
connections.

-- 
Kristófer Sigurðsson         | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfr./Network specialist | Reiknistofnun HÍ/University of Iceland



More information about the cisco-nsp mailing list