Client VPN - How to limit to specific host/port?

Answered Question

Hi,

I have a PIX-515 running 6.3.5 code serving as firewall/VPN appliance. I have many site to site and client VPNs working fine. However I am looking for a way to do split tunnel at port level grannularity.

e.g. for vpn profile vendor2, limit the access to 192.168.100.210 on port 80 and 81 only. Below is my config.

object-group service tcp-80-81 tcp

port-object range www 81

object-group network consultant-vpn2-dst

network-object host 192.168.100.210

object-group network vpn-clientpool-2

network-object 192.168.101.64 255.255.255.224

!

access-list consultant-vpn2 permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

access-list no-nat permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

!

ip local pool vpn-pool2 192.168.101.64-192.168.101.95

!

nat (inside) 0 access-list no-nat

!

vpngroup vendor2 address-pool vpn-pool2

vpngroup vendor2 default-domain mydomain.com

vpngroup vendor2 split-tunnel consultant-vpn2

vpngroup vendor2 idle-time 1800

vpngroup vendor2 password ********

This config works fine but upon connection, I see the split tunnel happening at the IP level. I am able to ping or pass any other kind of traffic to the host even though the ACL is extended and permits only port 80/81.

Is there a way to limit the VPN client to specific port only?

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 1 month ago

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 10/18/2007 - 10:42

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

Actions

This Discussion