Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
1
Replies

Client VPN - How to limit to specific host/port?

Go to solution
smunzani
Level 1
Level 1

‎10-18-2007 10:07 AM

Hi,

I have a PIX-515 running 6.3.5 code serving as firewall/VPN appliance. I have many site to site and client VPNs working fine. However I am looking for a way to do split tunnel at port level grannularity.

e.g. for vpn profile vendor2, limit the access to 192.168.100.210 on port 80 and 81 only. Below is my config.

object-group service tcp-80-81 tcp

port-object range www 81

object-group network consultant-vpn2-dst

network-object host 192.168.100.210

object-group network vpn-clientpool-2

network-object 192.168.101.64 255.255.255.224

!

access-list consultant-vpn2 permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

access-list no-nat permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

!

ip local pool vpn-pool2 192.168.101.64-192.168.101.95

!

nat (inside) 0 access-list no-nat

!

vpngroup vendor2 address-pool vpn-pool2

vpngroup vendor2 default-domain mydomain.com

vpngroup vendor2 split-tunnel consultant-vpn2

vpngroup vendor2 idle-time 1800

vpngroup vendor2 password ********

This config works fine but upon connection, I see the split tunnel happening at the IP level. I am able to ping or pass any other kind of traffic to the host even though the ACL is extended and permits only port 80/81.

Is there a way to limit the VPN client to specific port only?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎10-18-2007 10:42 AM

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
acomiskey
Level 10
Level 10

‎10-18-2007 10:42 AM

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents