Solved: Restrict client VPN access on IOS 12.4

lanscape · ‎01-06-2009

I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).

With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).

Is there any way to restrict the client VPN traffic on the outside interface?

Cheers,

Christoph.

dominic.caron · ‎01-06-2009

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

View solution in original post

dominic.caron · ‎01-06-2009

Hi,