Restrict client VPN access on IOS 12.4

Answered Question
Jan 6th, 2009
User Badges:

I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).

With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).


Is there any way to restrict the client VPN traffic on the outside interface?


Cheers,

Christoph.


Correct Answer by dominic.caron about 8 years 6 months ago

Hi,


The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets


Check it out in the Cisco IOS Security Configuration Guide, Release 12.4


In sort, define your post encryption ACL, go into your crypto-map and apply it with :


set ip access-group {access-list-number |access-list-name}{in | out}




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dominic.caron Tue, 01/06/2009 - 13:02
User Badges:
  • Silver, 250 points or more

Hi,


The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets


Check it out in the Cisco IOS Security Configuration Guide, Release 12.4


In sort, define your post encryption ACL, go into your crypto-map and apply it with :


set ip access-group {access-list-number |access-list-name}{in | out}




lanscape Tue, 01/06/2009 - 13:38
User Badges:

Thanks!!!


I knew it would be something simple...

I was looking for something under the client configuration - did not think of checking under the dynamic-map section.


Cheers,

Christoph.


Actions

This Discussion