Limiting access for VPN Client

mcelec · ‎09-03-2007

Hi Folks,

In order to give access for my customers to my internal network, I installed a VPN client configuration on my 6.3 (5)Pix, everything is fine, but, for security issues, I need to implement some control for them, thing is, in my access-list says permit ip x.x.x.x to my internal, Ok?

I changed my access-list to permit tcp x.x.x ....x.x.x.x eq x, permitting only the port they need to access my aplication, but it is not working.

logg says ?? there is not translation for x.x.x. to x.x.x??, but, if I modify my access-list to permit ip x.x.x...,

works fine.

What do I need to do ??

Martin

acomiskey · ‎09-04-2007

Martin,

You'll have to be more specific. Which access-list are you talking about? Do you have sysopt connection permit-ipsec in your configuration? Could you post a clean configuration and explain the access you want to allow? Thanks.

mcelec · ‎09-04-2007

Thanks for your help,

that is my config

Martin

acomiskey · ‎09-04-2007

Okay, so I suppose you want to limit the vpn clients to only connect to your inside on port 1433? Is this correct?

I would start by splitting up your acl's...

access-list nat0 permit tcp 192.168.1.0 255.255.255.0 172.25.1.0 255.255.255.224

access-list 100 permit tcp 192.168.1.0 255.255.255.0 172.25.1.0 255.255.255.224

no nat (inside) 0 access-list 100

nat (inside) 0 access-list nat0

You COULD then limit the traffic with the following...

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp 172.25.1.0 255.255.255.224 192.168.1.0 255.255.255.0 eq 1433

access-group outside_access_in in interface outside

Caution: You will have to explicitly allow all your ipsec traffic from all vpns.