04-23-2003 03:07 PM - edited 02-20-2020 10:42 PM
I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have configured the firewall to permit a VPN connection using the following conf
access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
nat (dmz2) 0 access-list 100
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esmp-md5-hamc
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
* and the configuration of the vpngroup and isakmp
The problem is that I only want the vpn client access my x.x.x.x network in ther the dmz2 but the VPN client can access all the computers in the internal, dmz1, dmz3, etc (all the interfaces).
Is there any way to limit this access to specific intefaces or much better to specific machines.
Thanks in advance.
04-23-2003 04:26 PM
That seems kind of strange that you can hit the other interfaces. I would be interested in seeing the Nat statments for those interfaces.
But to answer your question there are a couple ways you can do it. Remove "sysopt connection permit-ipsec" and add access-list statements to your outside interface acl for the VPN users or use downloadable acl's if you have the resources to do so.
Regards,
04-24-2003 07:38 AM
I have nat (inteface) 1 0 0 for all the interfaces but if I am allowing the VPN user access to a lower security interface (dmz) why the VPN user can access the higher interface (inside) and all others.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide