Configuring VPN & PIXOS 8.0.2

Unanswered Question
Oct 23rd, 2007
User Badges:

Hi all,

I have a question related to where in configuration of VPN for remote connection is said where users can connect?

Could someone help me how to restrict the remote users to connect into only the requested destinations, ports and so on?

I mean ....which ACL do this?

I know that I can configure split ACL for remote client, no nat ACL and so on.

In our PIX we have ACL on inside and outside interface.

Any idea, any example, any help?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Tue, 10/23/2007 - 07:17
User Badges:
  • Green, 3000 points or more

You can remove the command which allows all ipsec traffic to bypass inteface acls.

no sysopt connection permit-vpn

Then you would simply write the access you want in your outside acl. Be careful as this will effect all ipsec traffic. If you have other tunnel groups you do not want to restrict, you would have to specifically allow them in the acl as well.

Another option is to look into the vpn-filter command.

johnleeee Thu, 10/25/2007 - 05:23
User Badges:

Hi Adam,

thanks for an answer. It is very helpful for me.

I didnt find no sysopt connection permit-vpn in our config.

So I suppose it is on and our inside ACL doesnt

restrict any connection from the outside VPN clients. So Iv created the other ACL and applied it into user profile. It functions well.




This Discussion