04-24-2005 09:23 AM
Hi
I have a vpn client who will always login from a range of ips and nowhere else, how do I allow only those ips to negotiate tunnel and deny others.
Thks
04-24-2005 07:26 PM
Try a "no sysopt connection permit-ipsec" and then use an ACL on the outside to specify the range.
04-25-2005 12:34 AM
Hi ,
thks for the reply, maybe I didn't phrase my qns properly. What I need is to restrict the vpn client to negotiate the tunnel from a range of public ip.
For eg. only 203.125.125.1 to 203.125.125.13 can negotiate the tunnel with the pix515 and not elsewhere.
FYI I've tried doing 'no sysopt connection permit ipsec' and use ACL on outside to control the traffic from the client into the trusted , it does work , the source ip would be the virtual ip assigned to the vpn client. But the outside ACL would not restrict tunnel negotiation.
I beleive it shud be at crypto isakmp peer 'ip add',
but I do not know how to include a range.
Thanks
04-25-2005 02:16 AM
hello allanl
do this on the outside router. or else as shanky told, apply it on the outside interface of the pix.. can u let us know the ACL that u have applied now on the pix ?? my advice is to restrict this on the outside router.
Raj
04-25-2005 05:40 AM
Hello Raj,
That's my thought also to do it on the outside router. After doing no sysopt , udp 500 and esp is allowed to the range of permit ip follow by deny udp and esp to all. But still tunnel negotiation is still available to other ip.
Thanks for the info
04-25-2005 07:17 AM
can u post ur ACLs please ?? did u try in router ? did it work ???
Raj
04-25-2005 08:08 AM
on your request, this is the ACL that don't work.
gotta try on the router later do not have access to it now.
access-list 102 permit udp x.x.x.0 255.255.255.0 host 'pix outside ip' eq 500 (x.x.x.0 range of public ip)
access-list 102 permit esp x.x.x.0 255.255.255.0 host 'pix outside ip'
access-list 102 deny udp any 'pix outside ip' eq 500
access-list 102 deny esp any 'pix outside ip'
access-list 102 permit icmp any any
access-list 102 permit tcp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq pcanywhere-data
access-list 102 permit tcp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq 5632
access-list 102 permit udp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq 5631
access-list 102 permit udp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq pcanywhere-data
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide