Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
2
Replies

access-list for vpdn

rezaul.karim
Level 1
Level 1

‎03-19-2006 02:12 AM - edited ‎02-20-2020 09:36 PM

pix 515 version 6.3

Vpdn enable from outsite for accessing only one inside server as www. These are the statments:

access-list 103 permit tcp host 172.20.1.19 eq www any

access-list 103 permit ip host 172.20.1.19 any

nat (inside) 0 access-list 103

Vpn is working fine and also accessing 19 server including UNC patth.

Now want to restrict UNC path access.

Whenever i remove ip access-list then i cannot able to access as www to 19 server

Any one help

Labels:
0 Helpful
2 Replies 2

jackko
Level 7
Level 7

‎03-19-2006 02:59 PM

no-nat acl and crypto acl cannot be used to restrict remote vpn access down to the protocol/port level.

to achieve this objective, the commnad "sysopt connection permit-ipsec" needs to be disabled first, and then configure inbound acl. with the command "sysopt connection permit-ipsec" disabled, all vpn traffic will be examined by pix against the inbound acl.

e.g.

no sysopt connection permit-ipsec

access-list 111 permit tcp host host 172.20.1.19 eq www

access-group 111 in interface outside

please be noticed that all vpn related traffic will be affected by disabling the commnad "sysopt connection permit-ipsec", in other words, the inbound acl needs to include all vpn traffic.

0 Helpful

rezaul.karim
Level 1
Level 1
In response to jackko

‎03-19-2006 10:35 PM

I am using PPTP

Put all your mentioned ACL but problem is exit as before.

Any other suggestions

0 Helpful
Customers Also Viewed These Support Documents