×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How do I limit VPN Client users to just a single internal server when they get to servers with globally translated addresses?

Document

Wed, 07/22/2009 - 19:52
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Core issue

Since users hit the servers through their global IP addresses, the traffic cannot be stopped by issuing the nat (inside) 0 command to an Access Control List (ACL).


Resolution

Remove the sysopt connection permit-ipsec command from the PIX Firewall configuration. Add statements to the ACL applied to the outside interface permitting Encapsulating Security Payload (ESP), UDP 500, and the traffic from the VPN pool to the specific server.

For more information on how to configure PIX ACLs, refer to Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX.

Loading.

Actions

This Document

Related Content