Multi-port access to a single host behind a PIX501

iholdings · ‎08-08-2008

Greetings,

I need to set up a VPN client to be able to access ONLY a single host on multiple ports.

Marwan ALshawi · ‎08-08-2008

if u use local database for usernames

go to user attribute

like

username [usernae] attributes

vpn-filter value 102

vpn-framed-ip-address 192.168.50.1 255.255.255.255

access-lsit 102 permit tcp host 192.168.50.1 host [server ip] eq [port number]

and so on

the above command asume u hae software 7.x or later

good luck

please rate if helful

iholdings · ‎08-08-2008

Any other options under software version 6.3(4)?

Marwan ALshawi · ‎08-08-2008

u can restrect all the vpn users by

creating an acl sourced from the vpn clients pool to the host server as a destination with the required port number

and apply it on the outside interface in the inbound direction

iholdings · ‎08-08-2008

I appreciate all of your help. I kinda new at this.

So - I believe I have all of the pieces for both the VPN clients and the site-to-site listed below. What would I need to add?

crypto ipsec transform-set vpnipsec esp-des esp-md5-hmac

crypto ipsec transform-set vpnclient esp-des esp-md5-hmac

crypto dynamic-map vpnconct 1 set transform-set vpnclient

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address ipsec_peer

crypto map vpnmap 40 set peer ...

crypto map vpnmap 40 set transform-set vpnipsec

crypto map vpnmap 99 ipsec-isakmp dynamic vpnconct

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address ... netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpnclient address-pool client

vpngroup vpnclient default-domain cisco.com

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inbound in interface outside

sysopt connection permit-ipsec

access-list ipsec_peer permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list ipsec_peer permit ip 192.168.5.0 255.255.255.0 172.17.0.0 255.255.0.0

access-list ipsec_peer permit ip host .... host 172.17.5.101

access-list 110 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 110 permit ip 192.168.5.0 255.255.255.0 172.17.0.0 255.255.0.0

access-list 110 permit ip host .... host 172.17.5.101

access-list inbound permit icmp any any echo-reply

Marwan ALshawi · ‎08-08-2008

first of all

remove the sysopt connection permit-ipsec because this will permit all ipsec traffic

now any ipsec connection is denied after we remove that line

so we need to start make the permition line by line

first make what trrafic should be allwoed to ur firewall

and at the end any think not included in the permit statemt in the ACL we gonna make will be denied

first i couldnt see the vpn client address pool so i will assume the client pool is in the range of 10.1.1.0/24

and the server u want to make restrection on

is 192.168.5.5

and the remote site ranges are

172.16.0.0/16

172.17.0.0/16

lets say u wanna all vpn client access only http and smtp on the server

andthe 172.16.0.0/16 have full access to the server only while no access to ur lan

and 172.17.0.0/16 will have access to the whole lan and the server

as follow:

access-list 100 pemmit tcp 10.1.1.0 255.255.255.0 host 192.168.5.5 eq 80

access-list 100 pemmit tcp 10.1.1.0 255.255.255.0 host 192.168.5.5 eq 25

access-list 100 pemmit ip 172.16.0.0 255.255.0.0 host 192.168.5.5

access-list 100 pemmit ip 172.17.0.0 255.255.0.0 192.168.5.0 255.255.255.0

now apply this ACL inbound on ur outside interface

befor that do

no access-group inbound in interface outside

then

access-group 100 in interface outside

hope this was good example of how u can make restrection

good luck

please, if helpful rate

iholdings · ‎08-11-2008

Sorry - didn't include the following in the config.

ip local pool client 192.168.5.20-192.168.5.30

so .... could I simply add

access-list 100 permit tcp 192.168.5.20-192.168.5.30 host 192.168.5.5 eq 80

etc. (for the other ports)

Would I then need to add a deny somewhere to prevent the VPN client from accessing any other hosts behind the PIX?

Again, I really appreciate all of the help you're providing. I think we're getting close ... ;-)

Marwan ALshawi · ‎08-11-2008

first

in cisco routers or firewalls

if u make an ACL

for example

permit somthing to smthing

only, by default there is a deny statment called implicite deny

so evry thing els will be denied by default unless u put permit any any

so in ur case u can add deny any at the end or u cant not either way they will be dedied ffrom evrything not allowed explicitly by permit staement

if u want make it ,ike

access-list 100 permit tcp 192.168.5.0 255.255.255.0 host 192.168.5.5 eq 80

access-list 100 deny ip any any

by the way i suggest u to u se deffrent ip range for vpn users not the same as the server

like 192.168.50.0/24

any way good luck

please, if helpful rate