Unanswered Question
husycisco Tue, 01/22/2008 - 15:30
User Badges:
  • Gold, 750 points or more

Hi Aksher

no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs

access-list inside_access_in permit gre any host externalVPNserver

access-list inside_access_in permit tcp any host externalVPNserver eq pptp

or if you like, you can specify the source and set destination as any

Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.


husycisco Wed, 01/23/2008 - 07:39
User Badges:
  • Gold, 750 points or more

Ah, I misunderstood your question.

In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.

Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like

access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500

access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000

x.x.x.x is the global IP of the VPN client


This Discussion