Need help with ACL to restrict VPN traffic

Unanswered Question

I don't know if this question is best asked in the VPN forum or here. Thanks in advance for any help offered.


I have a client that is using a PIX for remote user VPN clients. They would like to restrict a VPN client to accessing a single host (10.1.1.1) over a single TCP port (9000). The PIX by default allows all encrypted traffic to bypass the access-lists (more accurately, the PIX uses ACLs only to determine what traffic should be encrypted).


So how to restrict the client to only accessing TCP9000? There is a Catalyst 3560 layer 2 switch on the interior network. I can create an ACL to restrict traffic between the remote VPN network (192.168.1.0 /24) and the interior host (10.1.1.1). When I apply this to the inbound traffic on the server VLAN, it kills all traffic:


switch1(config)# access-list 102 permit tcp 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255 eq 9000

switch1(config)# access-list 102 deny ip 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255

switch1(config)# access-list 102 permit ip any any


switch1(config)# int vlan6 (this the vlan the 10.1.1.1 host is in)

switch1(config-if)# access-group 102 in


Is this correct? Applying this seems to kill all traffic on that VLAN. What is the correct way to do this?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Tue, 08/28/2007 - 11:35

If 10.1.1.1 is the server the users on the 192.168.1.0/24 network are accessing on TCP port 9000 then reconfigure the access list 102 as follows and try.


access-list 102 permit tcp 10.1.1.1 0.0.0.0 eq 9000 192.168.1.0 0.0.0.255

access-list 102 deny ip 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255

access-list 102 permit ip any any


HTH


Sundar

Actions

This Discussion