Restrict client VPN access on IOS 12.4

Answered Question
Jan 6th, 2009

I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).

With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).

Is there any way to restrict the client VPN traffic on the outside interface?

Cheers,

Christoph.

I have this problem too.
0 votes
Correct Answer by dominic.caron about 7 years 11 months ago

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dominic.caron Tue, 01/06/2009 - 13:02

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

lanscape Tue, 01/06/2009 - 13:38

Thanks!!!

I knew it would be something simple...

I was looking for something under the client configuration - did not think of checking under the dynamic-map section.

Cheers,

Christoph.

Actions

This Discussion