10-18-2007 10:07 AM
Hi,
I have a PIX-515 running 6.3.5 code serving as firewall/VPN appliance. I have many site to site and client VPNs working fine. However I am looking for a way to do split tunnel at port level grannularity.
e.g. for vpn profile vendor2, limit the access to 192.168.100.210 on port 80 and 81 only. Below is my config.
object-group service tcp-80-81 tcp
port-object range www 81
object-group network consultant-vpn2-dst
network-object host 192.168.100.210
object-group network vpn-clientpool-2
network-object 192.168.101.64 255.255.255.224
!
access-list consultant-vpn2 permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2
access-list no-nat permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2
!
ip local pool vpn-pool2 192.168.101.64-192.168.101.95
!
nat (inside) 0 access-list no-nat
!
vpngroup vendor2 address-pool vpn-pool2
vpngroup vendor2 default-domain mydomain.com
vpngroup vendor2 split-tunnel consultant-vpn2
vpngroup vendor2 idle-time 1800
vpngroup vendor2 password ********
This config works fine but upon connection, I see the split tunnel happening at the IP level. I am able to ping or pass any other kind of traffic to the host even though the ACL is extended and permits only port 80/81.
Is there a way to limit the VPN client to specific port only?
Solved! Go to Solution.
10-18-2007 10:42 AM
One way would be to...
1. remove sysopt connection permit-ipsec
2. write the access you desire in your outside access list.
no sysopt connection permit-ipsec
access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80
access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81
access-group outside_access_in in interface outside
note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.
10-18-2007 10:42 AM
One way would be to...
1. remove sysopt connection permit-ipsec
2. write the access you desire in your outside access list.
no sysopt connection permit-ipsec
access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80
access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81
access-group outside_access_in in interface outside
note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: