Pix VPN Restriction on Ports

Unanswered Question

It is my understanding that in order to restrict vpn connection either site-to-site or client via ports the "sysopt connection permit ipsec" command needs to be disabled and the control then comes from the access-list that is inbound on the outside interface.


Here is my scenario: 3 site to site and client vpn tunnels


Site 1 needs access to all internal hosts on 192.168.50.0 for port 5900 and full access to 192.168.50.135

Site 2 needs full access to 192.168.50.205, 192.168.50.166, 192.168.50.204 host only

Site 3 needs full access to 192.168.50.5 host only


Here is my config:


access-list acl_outside permit tcp any host a.a.a.a eq https -- this will be a static translation

access-list acl_outside permit tcp any host a.a.a.a eq 3389 -- this will be a static translation

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.10.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.220.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 172.20.20.0 255.255.255.0

access-list acl_outside permit ip 192.168.50.205 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.204 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.166 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.5 255.255.255.255 10.99.2.0 255.255.0.0

access-list acl_outside permit tcp 192.168.50.135 255.255.255.255 192.168.60.0 255.255.255.0 eq 3389


access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 150.2.0.0 255.255.0.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 10.99.2.0 255.255.0.0


ip local pool clientvpnpool 192.168.60.1-192.168.60.50


nat (inside) 0 access-list nonat


access-group acl_outside in interface outside


no sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set peer x.x.x.x -- Site 1 192.168.10.0 and 192.168.220.0 and 172.20.20.0 Network

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 set peer y.y.y.y -- Site 2 150.2.0.0 Network

crypto map mymap 20 set transform-set myset

crypto map mymap 30 ipsec-isakmp

crypto map mymap 30 set per z.z.z.z -- Site 3 10.99.2.0 Network

crypto map mymap 40 ipsec-isakmp dynamic dynmap -- 192.168.60.0 Client VPN Network

crytpo map mymap interface outside



Will this work for my scenarion?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 10/01/2007 - 06:08
User Badges:
  • Green, 3000 points or more

Looks like a lot of your statements are backwards. If the remote network is 192.168.10.0 and the local is 192.168.50.0 then they should look like this...


access-list acl_outside permit tcp 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 eq 5900


Actions

This Discussion