Pix VPN Restriction on Ports

mlawson · ‎09-30-2007

It is my understanding that in order to restrict vpn connection either site-to-site or client via ports the "sysopt connection permit ipsec" command needs to be disabled and the control then comes from the access-list that is inbound on the outside interface.

Here is my scenario: 3 site to site and client vpn tunnels

Site 1 needs access to all internal hosts on 192.168.50.0 for port 5900 and full access to 192.168.50.135

Site 2 needs full access to 192.168.50.205, 192.168.50.166, 192.168.50.204 host only

Site 3 needs full access to 192.168.50.5 host only

Here is my config:

access-list acl_outside permit tcp any host a.a.a.a eq https -- this will be a static translation

access-list acl_outside permit tcp any host a.a.a.a eq 3389 -- this will be a static translation

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.10.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.220.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 172.20.20.0 255.255.255.0

access-list acl_outside permit ip 192.168.50.205 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.204 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.166 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.5 255.255.255.255 10.99.2.0 255.255.0.0

access-list acl_outside permit tcp 192.168.50.135 255.255.255.255 192.168.60.0 255.255.255.0 eq 3389

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 150.2.0.0 255.255.0.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 10.99.2.0 255.255.0.0

ip local pool clientvpnpool 192.168.60.1-192.168.60.50

nat (inside) 0 access-list nonat

access-group acl_outside in interface outside

no sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set peer x.x.x.x -- Site 1 192.168.10.0 and 192.168.220.0 and 172.20.20.0 Network

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 set peer y.y.y.y -- Site 2 150.2.0.0 Network

crypto map mymap 20 set transform-set myset

crypto map mymap 30 ipsec-isakmp

crypto map mymap 30 set per z.z.z.z -- Site 3 10.99.2.0 Network

crypto map mymap 40 ipsec-isakmp dynamic dynmap -- 192.168.60.0 Client VPN Network

crytpo map mymap interface outside

Will this work for my scenarion?

acomiskey · ‎10-01-2007

Looks like a lot of your statements are backwards. If the remote network is 192.168.10.0 and the local is 192.168.50.0 then they should look like this...

access-list acl_outside permit tcp 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 eq 5900

mlawson · ‎10-01-2007

Yes you are correct I do have them backwards.