Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
3
Replies

VPN Client access-list

e-mourad
Level 1
Level 1

‎10-14-2004 01:29 AM - edited ‎02-20-2020 11:41 PM

Hello,

How can i add acess-list to vpn client that connect to the PIx VPN.

I tried to use :

access-list outacl deny tcp 10.1.198.1 10.1.32.1

but it seems not working

(10.1.198.0-10.1.198.254 is the vpnpool)

Thanks

0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎10-16-2004 12:53 AM

You can define downloadable access-lists on VPN concentrators to apply firewall policies on a VPN client. You cannot do this in a PIX. What exactly do u want to block ? Please let us know a complete picture of your scenario.

0 Helpful

e-mourad
Level 1
Level 1
In response to sachinraja

‎10-18-2004 11:35 PM

Hello,

I have configured teh PIX to become a VPN server. This my config :

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 10.1.1.11 cisco timeout 5

ip local pool vpnpool 10.1.198.1-10.1.198.254

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server 193.95.66.10

vpngroup vpn3000 wins-server 10.1.32.2

vpngroup vpn3000 default-domain NOUVELAIR

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

---------------------------------------------

I want that the vpn client with IP@ 10.1.198.2 bi blocked when it attempts to connect to the http server with IP 10.1.32.0.

How can i do that ?

Thanks for all

0 Helpful

sachinraja
Level 9
Level 9
In response to e-mourad

‎10-20-2004 12:45 AM

The IP pool is dynamic and will not assign 10.1.198.2 to only a single user. Anyway, if you want to block the IP 10.1.198.2 not to allow http access with the IP 10.1.32.x, you can do this simply by denying this on the nonat access-list. This is taking into consideration , the IP pool defined is on a different subnet than the inside interface.

If the IP Pool is defined on the same subnet as the inside interface, then deny this using the inside access-list , if defined.

Please let me know, if my understanding about ur problem is fine !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card