08-06-2004 02:34 AM
Hi all
I was trying to apply an access-list to a dynamic-map so that I could restric access from remote VPN users.
access-list restrictvpn permit tcp x.x.x.x x.x.x.x host x.x.x.x eq x
crypto map dynamic-map mobile 5 match address restrictvpn
The VPN worked fine before issuing this command but would not work after applying the ACL. The first time you attempted to connect it would prompt for authentication details and then just hang on "contacting securityu gateway". If you cancelled the connection and retried the connect it would bypass authentication and hang on "securing communications"
As you can see the acl is nailed down to a specific port and when you apply it to the dynamic map it sends a message saying "ACL has port selectors this may cause performance issues"
I cannot strip off sysopt connection permit-ipsec becuase they have a site to site VPN where the remote private network is an illegally assigned public range which means I would potentially open up access to a remote network.
I have tried restricting the VPN with a split-tunnel ACL but this ignores the port selectors and lets through all traffic to the host.
Any suggestions?
08-06-2004 04:31 AM
Can you accomplish this via your NAT (or No NAT) selections?
08-06-2004 04:48 AM
Unfortuantely not. If ports are defined no packets seem to get through. Only when ip host x.x.x.x vpnnet mask (no ports) is configured does it work.
Thanks anyway!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide