I have the VPN client connecting to a PIX. I created the following which is applied with the access-group command on the inside interface:

access-list maxim_restrict; 7 elements

access-list maxim_restrict line 1 remark Restrict MAXIM access to 3300 ICP only

access-list maxim_restrict line 2 permit tcp host 192.168.9.150 host 10.9.1.3 eq www (hitcnt=0)

access-list maxim_restrict line 3 permit tcp host 192.168.9.150 host 10.9.1.3 eq https (hitcnt=0)

access-list maxim_restrict line 4 permit tcp host 192.168.9.150 host 10.9.1.3 eq ftp-data (hitcnt=0)

access-list maxim_restrict line 5 permit tcp host 192.168.9.150 host 10.9.1.3 eq ftp (hitcnt=0)

access-list maxim_restrict line 6 permit tcp host 192.168.9.150 host 10.9.1.3 eq telnet (hitcnt=0)

access-list maxim_restrict line 7 deny ip host 192.168.9.150 any (hitcnt=0)

access-list maxim_restrict line 8 permit ip any any (hitcnt=8952)

This didn't restrict the access as you can see the only line that is getting any hits is the any any statement. So I thought I should maybe I need to reverse the addressing so I created the following:

access-list maxim_restrict1; 7 elements

access-list maxim_restrict1 line 1 permit tcp host 10.9.1.3 host 192.168.9.150 eq www (hitcnt=0)

access-list maxim_restrict1 line 2 permit tcp host 10.9.1.3 host 192.168.9.150 eq https (hitcnt=0)

access-list maxim_restrict1 line 3 permit tcp host 10.9.1.3 host 192.168.9.150 eq ftp-data (hitcnt=0)

access-list maxim_restrict1 line 4 permit tcp host 10.9.1.3 host 192.168.9.150 eq ftp (hitcnt=0)

access-list maxim_restrict1 line 5 permit tcp host 10.9.1.3 host 192.168.9.150 eq telnet (hitcnt=0)

access-list maxim_restrict1 line 6 deny ip any host 192.168.9.150 (hitcnt=2)

access-list maxim_restrict1 line 7 permit ip any any (hitcnt=13741)

This didn't work either, the VPN client address is the 192.168.9.150 and the server that I want to restrict it to is the 10.9.1.3 address. Any ideas on what I am missing?

Hi ,

The thing you are missing is , the server 10.9.1.3 is running all the services , so

it should be 10.9.1.3 eq www ... .

The deny action depends on the interface where you are applying .

Just a eg :

If at inside interface : Inbound

access-list maxim_restrict1 line 6 deny ip any host 192.168.9.150

would work .

Hope this helps

regards

vanesh k

First, I am applying it to the inside interface inbound. Second, both of the access-lists were applied in the same manner and neither of them worked. The vpngroup only has one IP in the pool (192.168.9.150). What do I need to do to make this work?

Hi ,

access-list maxim_restrict1 line 1 permit tcp host 10.9.1.3 eq www host 192.168.9.150

access-list maxim_restrict1 line 2 permit tcp host 10.9.1.3 eq https host 192.168.9.150

access-list maxim_restrict1 line 3 permit tcp host 10.9.1.3 eq ftp-data host 192.168.9.150

access-list maxim_restrict1 line 4 permit tcp host 10.9.1.3 eq ftp host 192.168.9.150

access-list maxim_restrict1 line 5 permit tcp host 10.9.1.3 eq telnet host 192.168.9.150

access-list maxim_restrict1 line 6 deny ip any host 192.168.9.150

access-list maxim_restrict1 line 7 permit ip any any

If this is applied in inbound , then except the ports that are mentioned first , other ports would be denied from the server.

regards

vanesh k

Yes, that is what I want to happen. I forgot to mention that I am using sysopt permit-ipsec, could this be the root of the problem?

Would I add a permit 50 and 51 as well as a permit udp eq 500 to the in on the ouside interface?

Hi ,

Now whatever you have mentioned is for the establishment of the Ipsec tunnel between ur client and Pix .

Access-list what you given initially is for providing access restriction to certain servers.

If you want to restrict in outside interface for Ipsec establishment, you can very well add

regards

vanesh k

hi all u need is a vpn-filter. just create a access-list for the user . and call the access-list in the user attributes as vpn-filter. this will do all the help u need.

regards

sebastan