Configuring VPN & PIXOS 8.0.2

Unanswered Question
Oct 23rd, 2007

Hi all,

I have a question related to where in configuration of VPN for remote connection is said where users can connect?

Could someone help me how to restrict the remote users to connect into only the requested destinations, ports and so on?

I mean ....which ACL do this?

I know that I can configure split ACL for remote client, no nat ACL and so on.

In our PIX we have ACL on inside and outside interface.

Any idea, any example, any help?

BR

jl

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 10/23/2007 - 07:17

You can remove the command which allows all ipsec traffic to bypass inteface acls.

no sysopt connection permit-vpn

Then you would simply write the access you want in your outside acl. Be careful as this will effect all ipsec traffic. If you have other tunnel groups you do not want to restrict, you would have to specifically allow them in the acl as well.

Another option is to look into the vpn-filter command.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

http://cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1493380

johnleeee Thu, 10/25/2007 - 05:23

Hi Adam,

thanks for an answer. It is very helpful for me.

I didnt find no sysopt connection permit-vpn in our config.

So I suppose it is on and our inside ACL doesnt

restrict any connection from the outside VPN clients. So Iv created the other ACL and applied it into user profile. It functions well.

Thanks.

jl

Actions

This Discussion