Cisco VPN client (blocking ports)

alexr · ‎05-20-2005

Hello experts,

I have a PIX 6.3(1)

I have a problem with permitting access to specific ports (443) and blocking all others for client using Cisco VPN client.

i tried to manage it via access-list for nonat traffic, after i tried to manage it via split-tunneling. No lick.

I tried also to put access-list on inside interface to prevent this.

access-list vpn_acl permit ip host 190.x.x.x 191.1.1.64 255.255.255.252

nat (inside) 0 access-list vpn_acl

access-list split5 permit ip host 190.x.x.x 191.1.1.64 255.255.255.252

Please give your suggestions

It's really important

Thanks

ROBERTO TACCON · ‎05-20-2005

On your pix the command

sysopt connection permit-ipsec

is present ?

alexr · ‎05-21-2005

Yes, sysopt connection permit-ipsec existing in config.

With presented configuration remote Access VPN working. But for all ports.

I would like to permit only 443, all others should be blocked.

ROBERTO TACCON · ‎05-21-2005

As you can see you need to modify the configuration with the command

no sysopt connection permit-ipsec

! be aware all the ipsec vpn need to be allowed with explicit acl !

for example if you have a LAN2LAN ipsec VPN you nedd to insert the following acl

access-list entrante->outside remark ## VPN SITE TO SITE

access-list incoming->outside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

connection permit-ipsec

Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026942