Restrict source-addresses for client VPN on a per policy-group basis on PIX

Unanswered Question
May 2nd, 2007
User Badges:


I am using a Cisco PIX 515E running 7.0 and I can't find any way of restricting the source address for VPn client users that access my VPN device. I want to apply the restriction not globally, but only for a particular group policy or tunnel group. Is this possible on a PIX?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oabduo983 Wed, 05/02/2007 - 11:09
User Badges:
  • Bronze, 100 points or more

Hi Tony,

You need to use the (vpn-filter value xx) which is under the group-policy configuration mode. The xx is ACL number which you use to define the allowed hosts to connect to the VPN group... For more information, plz refer to the following article from the following link:

Please rate the post if it is useful!


acomiskey Wed, 05/02/2007 - 11:43
User Badges:
  • Green, 3000 points or more

I don't think that will do what he wants. The vpn-filter will only restrict traffic after the client has established the vpn. It will not prevent them from connecting to the vpn in the first place. Also the source address at that point would be whatever is specified in the vpn pool, not the public address where the client was coming from.

anthony.hassiot... Thu, 05/03/2007 - 00:16
User Badges:

Correct! I have already tried the vpn-filter command and I can't see the point of it. It's like another access-list this time applied to the group-policy rather than the tunnel-group and it only applies to the already encrypted packets.

I also know that I can use the 'no sysopt connection permit ipsec', but then I would have to allow all the public IP addresses that use the PIX for VPN and with 20 tunnels and various companies/ISPs this is not an option. I need to configure something on the group-policy itself if possible.

Anyway, thanks for your comments.



acomiskey Thu, 05/03/2007 - 08:04
User Badges:
  • Green, 3000 points or more

How many source addresses are you trying to block? You would not have to allow sources individually as you could just deny the ones you don't want connecting and allow everything else. Maybe I misunderstood.

I think the only option you have with the pix is the no sysopt-conn ipsec method, but that would be global of course. Are you authenticating users against radius? You could look into using "Calling-Station-Identifier" to deny users from certain addresses.


This Discussion