I don't know if this question is best asked in the VPN forum or here. Thanks in advance for any help offered.
I have a client that is using a PIX for remote user VPN clients. They would like to restrict a VPN client to accessing a single host (10.1.1.1) over a single TCP port (9000). The PIX by default allows all encrypted traffic to bypass the access-lists (more accurately, the PIX uses ACLs only to determine what traffic should be encrypted).
So how to restrict the client to only accessing TCP9000? There is a Catalyst 3560 layer 2 switch on the interior network. I can create an ACL to restrict traffic between the remote VPN network (192.168.1.0 /24) and the interior host (10.1.1.1). When I apply this to the inbound traffic on the server VLAN, it kills all traffic:
switch1(config)# access-list 102 permit tcp 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255 eq 9000
switch1(config)# access-list 102 deny ip 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255
switch1(config)# access-list 102 permit ip any any
switch1(config)# int vlan6 (this the vlan the 10.1.1.1 host is in)
switch1(config-if)# access-group 102 in
Is this correct? Applying this seems to kill all traffic on that VLAN. What is the correct way to do this?