Multi-port access to a single host behind a PIX501

Unanswered Question
Aug 8th, 2008


I need to set up a VPN client to be able to access ONLY a single host on multiple ports.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 08/08/2008 - 08:36

if u use local database for usernames

go to user attribute


username [usernae] attributes

vpn-filter value 102


access-lsit 102 permit tcp host host [server ip] eq [port number]

and so on

the above command asume u hae software 7.x or later

good luck

please rate if helful

Marwan ALshawi Fri, 08/08/2008 - 10:02

u can restrect all the vpn users by

creating an acl sourced from the vpn clients pool to the host server as a destination with the required port number

and apply it on the outside interface in the inbound direction

iholdings Fri, 08/08/2008 - 10:22

I appreciate all of your help. I kinda new at this.

So - I believe I have all of the pieces for both the VPN clients and the site-to-site listed below. What would I need to add?

crypto ipsec transform-set vpnipsec esp-des esp-md5-hmac

crypto ipsec transform-set vpnclient esp-des esp-md5-hmac

crypto dynamic-map vpnconct 1 set transform-set vpnclient

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address ipsec_peer

crypto map vpnmap 40 set peer ...

crypto map vpnmap 40 set transform-set vpnipsec

crypto map vpnmap 99 ipsec-isakmp dynamic vpnconct

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address ... netmask

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpnclient address-pool client

vpngroup vpnclient default-domain

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******

nat (inside) 0 access-list 110

nat (inside) 1 0 0

access-group inbound in interface outside

sysopt connection permit-ipsec

access-list ipsec_peer permit ip

access-list ipsec_peer permit ip

access-list ipsec_peer permit ip host .... host

access-list 110 permit ip

access-list 110 permit ip

access-list 110 permit ip host .... host

access-list inbound permit icmp any any echo-reply

Marwan ALshawi Fri, 08/08/2008 - 18:25

first of all

remove the sysopt connection permit-ipsec because this will permit all ipsec traffic

now any ipsec connection is denied after we remove that line

so we need to start make the permition line by line

first make what trrafic should be allwoed to ur firewall

and at the end any think not included in the permit statemt in the ACL we gonna make will be denied

first i couldnt see the vpn client address pool so i will assume the client pool is in the range of

and the server u want to make restrection on


and the remote site ranges are

lets say u wanna all vpn client access only http and smtp on the server

andthe have full access to the server only while no access to ur lan

and will have access to the whole lan and the server

as follow:

access-list 100 pemmit tcp host eq 80

access-list 100 pemmit tcp host eq 25

access-list 100 pemmit ip host

access-list 100 pemmit ip

now apply this ACL inbound on ur outside interface

befor that do

no access-group inbound in interface outside


access-group 100 in interface outside

hope this was good example of how u can make restrection

good luck

please, if helpful rate

iholdings Mon, 08/11/2008 - 06:38

Sorry - didn't include the following in the config.

ip local pool client

so .... could I simply add

access-list 100 permit tcp host eq 80

etc. (for the other ports)

Would I then need to add a deny somewhere to prevent the VPN client from accessing any other hosts behind the PIX?

Again, I really appreciate all of the help you're providing. I think we're getting close ... ;-)

Marwan ALshawi Mon, 08/11/2008 - 07:06


in cisco routers or firewalls

if u make an ACL

for example

permit somthing to smthing

only, by default there is a deny statment called implicite deny

so evry thing els will be denied by default unless u put permit any any

so in ur case u can add deny any at the end or u cant not either way they will be dedied ffrom evrything not allowed explicitly by permit staement

if u want make it ,ike

access-list 100 permit tcp host eq 80

access-list 100 deny ip any any

by the way i suggest u to u se deffrent ip range for vpn users not the same as the server


any way good luck

please, if helpful rate


This Discussion