Hi ,

thks for the reply, maybe I didn't phrase my qns properly. What I need is to restrict the vpn client to negotiate the tunnel from a range of public ip.

For eg. only 203.125.125.1 to 203.125.125.13 can negotiate the tunnel with the pix515 and not elsewhere.

FYI I've tried doing 'no sysopt connection permit ipsec' and use ACL on outside to control the traffic from the client into the trusted , it does work , the source ip would be the virtual ip assigned to the vpn client. But the outside ACL would not restrict tunnel negotiation.

I beleive it shud be at crypto isakmp peer 'ip add',

but I do not know how to include a range.

Thanks

hello allanl

do this on the outside router. or else as shanky told, apply it on the outside interface of the pix.. can u let us know the ACL that u have applied now on the pix ?? my advice is to restrict this on the outside router.

Raj

Hello Raj,

That's my thought also to do it on the outside router. After doing no sysopt , udp 500 and esp is allowed to the range of permit ip follow by deny udp and esp to all. But still tunnel negotiation is still available to other ip.

Thanks for the info

can u post ur ACLs please ?? did u try in router ? did it work ???

Raj

on your request, this is the ACL that don't work.

gotta try on the router later do not have access to it now.

access-list 102 permit udp x.x.x.0 255.255.255.0 host 'pix outside ip' eq 500 (x.x.x.0 range of public ip)

access-list 102 permit esp x.x.x.0 255.255.255.0 host 'pix outside ip'

access-list 102 deny udp any 'pix outside ip' eq 500

access-list 102 deny esp any 'pix outside ip'

access-list 102 permit icmp any any

access-list 102 permit tcp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq pcanywhere-data

access-list 102 permit tcp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq 5632

access-list 102 permit udp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq 5631

access-list 102 permit udp 192.168.100.0 255.255.255.0 192.1.1.0 255.255.255.0 eq pcanywhere-data