topic How to restrict some VPN clients accessing some tcp port inside PIX525? in Network Security

How to restrict some VPN clients accessing some tcp port inside PIX525?

jennies_cisco — Fri, 21 Feb 2020 07:52:59 GMT

I have a PIX 525 configured as a firewall with VPN function, but these two lines didn't work:

access-list 100 deny tcp 192.168.12.0 255.255.255.0 eq 10001 host 172.16.5.23

access-list 100 deny tcp 192.168.12.0 255.255.255.0 host 172.16.5.23 eq 10001

but the line :

access-list 100 deny ip 192.168.12.0 255.255.255.0 host 172.16.5.23

can work. I'm confused,and can you help me?

the pix configured as below:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

...

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

enable password ......

passwd .......

hostname pixwall

domain-name cispix.com

fixup protocol dns maximum-length 512

...

names

access-list 100 permit ip 192.168.11.0 255.255.255.0 172.16.5.0 255.255.255.0

access-list 100 deny tcp 192.168.12.0 255.255.255.0 eq 10001 host 172.16.5.23

access-list 100 deny tcp 192.168.12.0 255.255.255.0 host 172.16.5.23 eq 10001

access-list 100 deny ip 192.168.12.0 255.255.255.0 host 172.16.5.23

access-list 100 permit ip 192.168.12.0 255.255.255.0 172.16.5.0 255.255.255.0

access-list 110 permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0

access-list 120 permit ip ....

...

pager lines 24

logging monitor debugging

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside *.*.*.* 255.255.255.0

ip address inside 192.168.11.* 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

...

ip local pool zhpl 172.16.5.23

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 1.1.1.0 255.255.255.0 outside

pdm location 192.168.11.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 ......

nat (inside) 0 access-list 100

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) ......

access-group 120 in interface outside

route outside ... ...

route inside 192.168.12.0 255.255.255.0 192.168.11.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 50

isakmp nat-traversal 100

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup zh01 address-pool zhpl

vpngroup zh01 dns-server ......

vpngroup zh01 split-tunnel 100

vpngroup zh01 idle-time 18000

vpngroup zh01 secure-unit-authentication

vpngroup zh01 password ********

telnet 172.16.5.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 40

ssh timeout 5

...

Re: How to restrict some VPN clients accessing some tcp port ins

sachinraja — Mon, 24 Jan 2005 11:04:12 GMT

Hello jenies,

seems to be a bit strange. try to put a syslog server or any sniffer application and see what exactly happens when you connect on 10001 port on 192.168.12.0 segment. is telnet on 10001 port happening if you dont have the 4th line ? ie

access-list 100 deny ip 192.168.12.0 255.255.255.0 host 172.16.5.23 ??

you can also do a local logging,instead of putting a syslog and see if the access-list is really doing anything to drop packets.

Raj

Re: How to restrict some VPN clients accessing some tcp port ins

jennies_cisco — Tue, 25 Jan 2005 05:16:40 GMT

The fourth line "access-list 100 deny ip 192.168.12.0 255.255.255.0 host 172.16.5.23 " deleted, I use the command "netstat -an" in the client host 172.16.5.23,and I can found the TCP connection established at the port 10001.

Re: How to restrict some VPN clients accessing some tcp port ins

JOOST HAGE — Mon, 20 Mar 2006 10:46:19 GMT

Hi, the problem is that in this config acl 100 is used to define the vpn-domain ('vpngroup zh01 split-tunnel 100') and can therefore not contain port definitions (ie: "permit/deny ip" is ok, "permit/deny tcp eq x" is not).

You can resolve this by doing the following 2 things:

1. Remove the 'sysopt connection permit-ipsec' line as it creates a 'permit ip any any' rule for all tunneled (ipsec) traffic.

2. Add the required policy to the interface the vpn is terminated on (in this case: outside). Don't forget to use the vpn-pool as source addresses:

access-list 120 permit ip 172.16.5.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 120 deny tcp host 172.16.5.23 192.168.12.0 255.255.255.0 eq 10001

...

Hope this helps

Re: How to restrict some VPN clients accessing some tcp port ins

jennies_cisco — Tue, 21 Mar 2006 01:21:18 GMT

Thank you,it's OK.