https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360390#M1056888 <P>Hello,</P><P></P><P>How can i add acess-list to vpn client that connect to the PIx VPN.</P><P>I tried to use :</P><P>access-list outacl deny tcp 10.1.198.1 10.1.32.1</P><P>but it seems not working</P><P>(10.1.198.0-10.1.198.254 is the vpnpool)</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 07:41:01 GMT e-mourad 2020-02-21T07:41:01Z https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360390#M1056888 <P>Hello,</P><P></P><P>How can i add acess-list to vpn client that connect to the PIx VPN.</P><P>I tried to use :</P><P>access-list outacl deny tcp 10.1.198.1 10.1.32.1</P><P>but it seems not working</P><P>(10.1.198.0-10.1.198.254 is the vpnpool)</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 07:41:01 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360390#M1056888 e-mourad 2020-02-21T07:41:01Z https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360391#M1056889 <HTML><HEAD></HEAD><BODY><P>You can define downloadable access-lists on VPN concentrators to apply firewall policies on a VPN client. You cannot do this in a PIX. What exactly do u want to block ? Please let us know a complete picture of your scenario.</P></BODY></HTML> Sat, 16 Oct 2004 07:53:03 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360391#M1056889 sachinraja 2004-10-16T07:53:03Z https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360392#M1056891 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have configured teh PIX to become a VPN server. This my config :</P><P></P><P>aaa-server partnerauth protocol radius</P><P>aaa-server partnerauth (inside) host 10.1.1.11 cisco timeout 5</P><P>ip local pool vpnpool 10.1.198.1-10.1.198.254</P><P>sysopt connection permit-ipsec</P><P>sysopt connection permit-pptp</P><P>no sysopt route dnat</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac</P><P>crypto dynamic-map dynmap 10 set transform-set myset</P><P>crypto map mymap 10 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap client authentication partnerauth</P><P>crypto map mymap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp client configuration address-pool local vpnpool outside</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 86400</P><P>vpngroup vpn3000 address-pool vpnpool</P><P>vpngroup vpn3000 dns-server 193.95.66.10</P><P>vpngroup vpn3000 wins-server 10.1.32.2</P><P>vpngroup vpn3000 default-domain NOUVELAIR</P><P>vpngroup vpn3000 idle-time 1800</P><P>vpngroup vpn3000 password ********</P><P></P><P>---------------------------------------------</P><P>I want that the vpn client with IP@ 10.1.198.2 bi blocked when it attempts to connect to the http server with IP 10.1.32.0.</P><P>How can i do that ?</P><P></P><P>Thanks for all</P></BODY></HTML> Tue, 19 Oct 2004 06:35:50 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360392#M1056891 e-mourad 2004-10-19T06:35:50Z https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360393#M1056892 <HTML><HEAD></HEAD><BODY><P>The IP pool is dynamic and will not assign 10.1.198.2 to only a single user. Anyway, if you want to block the IP 10.1.198.2 not to allow http access with the IP 10.1.32.x, you can do this simply by denying this on the nonat access-list. This is taking into consideration , the IP pool defined is on a different subnet than the inside interface.</P><P></P><P>If the IP Pool is defined on the same subnet as the inside interface, then deny this using the inside access-list , if defined.</P><P></P><P>Please let me know, if my understanding about ur problem is fine !!</P><P></P><P></P></BODY></HTML> Wed, 20 Oct 2004 07:45:39 GMT https://community.cisco.com/t5/network-security/vpn-client-access-list/m-p/360393#M1056892 sachinraja 2004-10-20T07:45:39Z