Showing results for 
Search instead for 
Did you mean: 

How to deny VPN clients from certain locations?


I've got a pix515 and I've configured it for remote access vpn using cisco VPN client and this is working. Is there any way that I can restrict who can connect to the pix via this VPN...I tried to do this with an access-list on the outside permitting esp and isakmp from the public IPs of the clients I want to allow, but this did not work because any public IP could still connect and the access-list showed no hits on those particular rules. Any ideas.

Frequent Contributor

Access-lists on interfaces restrict what traffic passes thru the pix, not traffic destined to it such as VPN connectivity. That is why the acls are not working and have zero hit counts.

Since the vpn clinet usually comes from different ip addresses, it would be better to restrict by configuring different policies on the vpn client.

What versions of pix and vpn client code are you using? For vpn client code v3 and higher, you have vpngroup names and passwords that can be of aid.

Along side of that, what type of user authen methods are you using? Raidus, local, tacacs, or a combo of the three?

I dont see how policies can be used to restrict what IP the client can connect from. The clients will always use the same source IP (depending on what site they reside in) and that is why I want to restrict the connection to only these sites where valid clients reside. I am using pix 6.3(3) and the latest Cisco VPN Client and local authentication. Any ideas. Thanks

AFAIK the Pix has no way to configure ISAKMP or ESP to it's interface. But you can get around this by adding an ACL to your internet router that would accomplish the same thing. since I dont have control over my upstream router, I cant control who can connect. Funny that the pix has no native way of limiting this. Thanks for your help.


If you have used the statement 'sysopt connection permit-ipsec' IPSec traffic will pass even if your access-list denies it. So just disable this with 'no sysopt connection permit-ipsec'. You now should be able to specify exactly what IPSec traffic you want to allow.

Content for Community-Ad