03-15-2004 09:07 AM - edited 02-21-2020 01:04 PM
Dear Sir,
We have a Central office which acts as a HUB location for all the database access from remote locations.
At cenral location we have a internet connectivity using cisco 2610 router we also have cisco pix firewall deployed for for security purpose.
We have configured VPN on the firewall for remote access clients who want to access central site lan with secured vpn tunnel.
New requirement is to allow the VPN from specific Public IP only and block the rest of world (Public IP).we have more than 4 remote sites who using fixed public IP will via VPN to central site for accessing LAN.
Pls advice with sample config for the above scenario.
PIX config related to VPN is as listed below.
!--- Access list to avoid Network Address Translation (NAT)
!--- on the IPSec packets
access-list 101 permit ip 192.168.48.0 255.255.255.0 10.1.2.0 255.255.255.0
!--- IP addresses on the interfaces
ip address outside 239.14.9.2 255.255.255.240
ip address inside 192.168.128.1 255.255.255.252
ip address dmz 192.168.98.2 255.255.255.224
ip local pool vpnpool 10.1.2.1-10.1.2.10
!--- Binding ACL 101 to the NAT statement to avoid NAT
!--- on the IPSec packets
nat (inside) 0 access-list 101
!--- Default route to the Internet
route outside 0.0.0.0 0.0.0.0 239.14.9.1 1
!--- The sysopt command avoids conduit
!--- on the IPSec encrypted traffic
sysopt connection permit-ipsec
no sysopt route dnat
!
!--- Phase 2 encryption type
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!--- Binding the IPSec engine on the outside interface
crypto map mymap interface outside
!
!--- Enabling Internet Security Association and
!--- Key Management Protocol (ISAKMP) key exchange
isakmp enable outside
isakmp identity address
!--- ISAKMP policy for VPN Client running 3.x or 4.x code
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- IPSec group configuration for either VPN Client
vpngroup test address-pool vpnpool
vpngroup test default-domain test.co.in
vpngroup test idle-time 1800
vpngroup test password test123
!--- To allow simultaneous access to the
!--- internal network and to the Internet
vpngroup vpn3000 split-tunnel 101
Pls advice with sample config for the above scenario
Thanks & Regards
Deepak
03-19-2004 11:37 AM
I am not quite clear on what exactly is needed here. Do you want the VPN to connection to your central site only from fixed IP addresses? If yes, then will you block all the VPN connections from the clients from other addresses? I think the access-list commands that are used in the crypto map needs to be modified.
Experts out there, can anybody say more on this.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide