×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

URGENT

Unanswered Question
husycisco Tue, 01/22/2008 - 15:30
User Badges:
  • Gold, 750 points or more

Hi Aksher

no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs


access-list inside_access_in permit gre any host externalVPNserver

access-list inside_access_in permit tcp any host externalVPNserver eq pptp


or if you like, you can specify the source and set destination as any


Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.


Regards


husycisco Wed, 01/23/2008 - 07:39
User Badges:
  • Gold, 750 points or more

Ah, I misunderstood your question.

In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.

Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like


access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500

access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000


x.x.x.x is the global IP of the VPN client

Actions

This Discussion