Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
4
Replies

Possible to limit host access via Remote Access VPN w/PIX

skyepharma
Level 1
Level 1

‎09-02-2005 02:07 AM - edited ‎02-21-2020 01:56 PM

Hi,

Is it possible to limit a VPN client's connectivity via a remote access IPSec tunnel? For example I have host A connecting to my network via an IPSec VPN on a PIX firewall. I only want this host to connect to host B and not any other hosts on my internal network. Is it possible to make these restrictions with access lists? Thanks in advance.

Labels:
0 Helpful
4 Replies 4

s-doyle
Level 3
Level 3

‎09-08-2005 06:04 AM

The feature allows a remote end user to communicate using IP Security (IPsec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPsec policies are "pushed" to the client by the server, minimizing configuration by the end user.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftunity.htm

0 Helpful

shijogeorge
Level 1
Level 1
In response to s-doyle

‎09-08-2005 08:14 PM

Hi,

Which version of PIX are you using? Starting from PIX v7, you can add a vpn-filter under the group-policy to achieve this

group-policy internal

vpn-filter value

HTH

Regards,

Shijo George.

0 Helpful

jackko
Level 7
Level 7
In response to shijogeorge

‎09-08-2005 10:13 PM

with v.6.x

disable the commmand below

(no) sysopt connection permit-ipsec

sysopt connection permit-ipsec:

To let IPSec packets bypass interface access lists, use the sysopt connection permit-ipsec command in global configuration mode. Group policy and per-user authorization access lists still apply to the traffic.

with this command disabled, you will need to configure inbound acl in order to permit vpn traffic.

e.g

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.10 eq domain

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.11 eq domain

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.13 eq citrix-ica

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.13 eq www

ip local pool ippool2 192.168.100.11-192.168.100.101

nat (inside) 0 access-list 110

access-group 130 in interface outside

vpngroup vpnclient address-pool ippool2

vpngroup vpnclient dns-server 192.168.1.10 192.168.1.11

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

don't forget other vpn traffic such as lan-lan vpn, it needs to be permitted by the inbound acl as well

0 Helpful

jackko
Level 7
Level 7
In response to jackko

‎09-18-2005 09:59 PM

just wondering how you go

0 Helpful
Customers Also Viewed These Support Documents