01-06-2009 11:45 AM
I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).
With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).
Is there any way to restrict the client VPN traffic on the outside interface?
Cheers,
Christoph.
Solved! Go to Solution.
01-06-2009 01:02 PM
Hi,
The feature you're looking for is called :
Crypto Access Check on Clear-Text Packets
Check it out in the Cisco IOS Security Configuration Guide, Release 12.4
In sort, define your post encryption ACL, go into your crypto-map and apply it with :
set ip access-group {access-list-number |access-list-name}{in | out}
01-06-2009 01:02 PM
Hi,
The feature you're looking for is called :
Crypto Access Check on Clear-Text Packets
Check it out in the Cisco IOS Security Configuration Guide, Release 12.4
In sort, define your post encryption ACL, go into your crypto-map and apply it with :
set ip access-group {access-list-number |access-list-name}{in | out}
01-06-2009 01:38 PM
Thanks!!!
I knew it would be something simple...
I was looking for something under the client configuration - did not think of checking under the dynamic-map section.
Cheers,
Christoph.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide