Need help with ACL to restrict VPN traffic

Unanswered Question

I don't know if this question is best asked in the VPN forum or here. Thanks in advance for any help offered.

I have a client that is using a PIX for remote user VPN clients. They would like to restrict a VPN client to accessing a single host ( over a single TCP port (9000). The PIX by default allows all encrypted traffic to bypass the access-lists (more accurately, the PIX uses ACLs only to determine what traffic should be encrypted).

So how to restrict the client to only accessing TCP9000? There is a Catalyst 3560 layer 2 switch on the interior network. I can create an ACL to restrict traffic between the remote VPN network ( /24) and the interior host ( When I apply this to the inbound traffic on the server VLAN, it kills all traffic:

switch1(config)# access-list 102 permit tcp eq 9000

switch1(config)# access-list 102 deny ip

switch1(config)# access-list 102 permit ip any any

switch1(config)# int vlan6 (this the vlan the host is in)

switch1(config-if)# access-group 102 in

Is this correct? Applying this seems to kill all traffic on that VLAN. What is the correct way to do this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Tue, 08/28/2007 - 11:35

If is the server the users on the network are accessing on TCP port 9000 then reconfigure the access list 102 as follows and try.

access-list 102 permit tcp eq 9000

access-list 102 deny ip

access-list 102 permit ip any any




This Discussion