10-25-2007 09:27 AM - edited 03-11-2019 04:30 AM
Thank you for taking the time to read this post. I'll admit up front I'm just starting working on the PIX.
I need to restrict a range of IP's to only go to one address on our network.
I created a new address pool and a new vpngroup which pulls the IP address from the new pool. (10.6.228.160 /28)
Below is the first two lines for the ACL that is applied to inbound traffic on the inside interface.
access-list inbound permit ip host 10.6.128.220 10.6.228.160 255.255.255.240
access-list inbound deny ip any 10.6.228.160 255.255.255.240
Shouldn't line 2 stop traffic from any other source destined for 10.6.228.160 /28? Or do I have something backwards? I ask as I can still access other network resources when I log in using the new group.
10-25-2007 10:45 AM
Hi,
let's see if I understood...
Everything works, right?
Your doubt is how you can access others IP address or other services that were not to be accessed by the address pool?
Note that the access to the pool is very permissive (permit ip).
10-25-2007 11:21 AM
The exsisting VPN groups work fine. The new group allows me to log in, but gives me too much access to the network. I can access other IP addresses on the network rather than just the one.
Once I get the ACL working which limits to the one IP address, I get more restrictive with the ports.
10-25-2007 11:45 AM
I don't understand anything else.
Your LAN is 10.6.128.220 or 10.6.228.160/28?
Execute the command show "access-list" and look for "hit-counts" you will see which access-list are getting access.
10-25-2007 11:50 AM
The address on the LAN that the external user needs to access is 10.6.128.220. The 10.6.228.160/28 is the range of addresses given the to external users when they connect to the PIX VPN.
10-25-2007 01:00 PM
Hi scootertgm,
I don't know how your configuration it's work but the access-list is wrong.
You need this:
access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq (service_you_need)
access-list inbound deny ip any 10.6.228.160 255.255.255.240
Because, you have the VPN tunel and the 10.6.228.160/28 addresses need access the 10.6.128.220 addresses. Verify all services they need acccess and create a object-group to be more easy.
If you must allow the addresses of the VPN to access more resources on your network don't forget the minimum privileges and use "permit ip" only for their last option.
10-25-2007 01:23 PM
I changed the access list line 1-4 to reflect the following:
access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www
access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www
access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq 44818
access-list inbound deny ip any 10.6.228.160 255.255.255.240
Below shows my vpn adapter is getting the correct ip address:
Connection-specific DNS Suffix . : xxxxxx
IP Address. . . . . . . . . . . . : 10.6.228.161
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.6.228.161
C:\>
I still am able to access resources on the network other than just the specified address.
10-25-2007 11:24 PM
Hi,
where is this ACL applied? i eman in which interface on what direction is this applied.
Practice is to apply the ACL blocking at the source. meaning apply te ACL in the interface in which the users will come in.
10-26-2007 12:27 AM
I think you just have your access-list applied to the wrong place.
The VPN group pool (10.6.228.160/28) is coming from the outside interface so you should apply the access-list on that interface (inbound). If you want to limit what an user on your network can access on the remote VPN user then you would use your example (I'm not sure what it is that you want).
Also verify that if you are not bypassing the access-lists, which is the default configuration when you do a remote/site-to-site VPN.
Let me know if this helps.
Regards,
Paulo
10-26-2007 06:11 AM
The access list is applied to the inside interface on the inbound direction.
It's not a site-to-site vpn but rather a client based VPN.
If I am understanding, I should create a second ACL and apply it to the outside interface to restrict where the user can go?
10-31-2007 10:07 AM
I tried appling the ACL on the outside interface inbound, however it still did not block the traffic.
At this point I am having to restrict the traffic at the layer three switch on the next hop.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: