Limiting access for VPN Client

Unanswered Question

Hi Folks,

In order to give access for my customers to my internal network, I installed a VPN client configuration on my 6.3 (5)Pix, everything is fine, but, for security issues, I need to implement some control for them, thing is, in my access-list says permit ip x.x.x.x to my internal, Ok?

I changed my access-list to permit tcp x.x.x ....x.x.x.x eq x, permitting only the port they need to access my aplication, but it is not working.

logg says ?? there is not translation for x.x.x. to x.x.x??, but, if I modify my access-list to permit ip x.x.x...,

works fine.

What do I need to do ??


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 09/04/2007 - 05:39
User Badges:
  • Green, 3000 points or more


You'll have to be more specific. Which access-list are you talking about? Do you have sysopt connection permit-ipsec in your configuration? Could you post a clean configuration and explain the access you want to allow? Thanks.

acomiskey Tue, 09/04/2007 - 11:30
User Badges:
  • Green, 3000 points or more

Okay, so I suppose you want to limit the vpn clients to only connect to your inside on port 1433? Is this correct?

I would start by splitting up your acl's...

access-list nat0 permit tcp

access-list 100 permit tcp

no nat (inside) 0 access-list 100

nat (inside) 0 access-list nat0

You COULD then limit the traffic with the following...

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp eq 1433

access-group outside_access_in in interface outside

Caution: You will have to explicitly allow all your ipsec traffic from all vpns.


This Discussion