VPN 6.3 IP Restrictions

Unanswered Question
Oct 4th, 2007

We have a PIX successfully running VPN (I just inherited this network so I am not sure what all is here yet) and we want to restrict which external IPs can access VPN. What is the best method to do this? See my config below (With obvious parts removed or Xd out)

global (outside) 10 interface

global (dmz) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0 0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

static (inside,dmz) netmask 0 0

static (inside,dmz) netmask 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

ntp server xxx source outside

http server enable

http inside

http inside

http inside

snmp-server host inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside /pix/startup-config-20041029

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup XX1es dns-server

vpngroup XX1es wins-server

vpngroup XX1es default-domain XXX

vpngroup XX1es idle-time 1800

vpngroup XX1es password ********

management-access inside

username XXX password xxx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion