PIX 515 and VPN CLIENT not using RADIUS

jmondaca · ‎02-07-2003

I´m using the VPN client 3.6 to grant access to a PC on my network using the following:

access-list 80 pemrit ip 10.0.0.14 host 192.168.15.1

nat 0 access-list 80

But with this configuration the user who entered to my my network has complete access to the PC 10.0.0.14. I want to limit this access only to telnet for example.

Is there any way to do this not using a RADIUS server.

Thanks in advance.

gfullage · ‎02-10-2003

I set this up and played around for a while and can't get it to work. The best I can do is stop the external user from pinging the inside host with:

> access-list outbound deny ip host 10.0.0.14 host 192.168.15.1

> access-list outbound permit ip any any

> access-group outbound in interface inside

All other TCP and UDP based packets go through the PIX's ASA and a hole is opened up to allow them back out (just like outbound packets are allowed back in without having to be specifically permitted). ICMP packets don't go through the ASA and therefore can be denied with an ACL.

You also can't use ports in a NAT 0 ACL, so that doesn't work either.

Sorry, I can't think of anything.

HEATH FREEL · ‎02-17-2003

You needto tell the PIX not NOT to explicitly allow IPSec traffic with the "no sysop permit-ipsec" command. This will force the VPN traffice to use the rules that allow inbound traffic.

if you were using conduits

conduit permit tcp host 10.0.0.14 eq 23 host 192.168.15.1

Access-lists

access-list to-inside permit tcp host 192.168.15.1 host 10.0.0.14 eq 23

and apply it to the outside interface.

I hope that helps.

jorgemondaca · ‎02-18-2003

I tried using "no sysopt permit-ipsec" and using the access-list you seggested but the entire hole is still open.

Do I have to erase the

nat 0 or anything else?

Thanks,