Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list for vpdn

pix 515 version 6.3

Vpdn enable from outsite for accessing only one inside server as www. These are the statments:

access-list 103 permit tcp host 172.20.1.19 eq www any

access-list 103 permit ip host 172.20.1.19 any

nat (inside) 0 access-list 103

Vpn is working fine and also accessing 19 server including UNC patth.

Now want to restrict UNC path access.

Whenever i remove ip access-list then i cannot able to access as www to 19 server

Any one help

2 REPLIES
Gold

Re: access-list for vpdn

no-nat acl and crypto acl cannot be used to restrict remote vpn access down to the protocol/port level.

to achieve this objective, the commnad "sysopt connection permit-ipsec" needs to be disabled first, and then configure inbound acl. with the command "sysopt connection permit-ipsec" disabled, all vpn traffic will be examined by pix against the inbound acl.

e.g.

no sysopt connection permit-ipsec

access-list 111 permit tcp host host 172.20.1.19 eq www

access-group 111 in interface outside

please be noticed that all vpn related traffic will be affected by disabling the commnad "sysopt connection permit-ipsec", in other words, the inbound acl needs to include all vpn traffic.

New Member

Re: access-list for vpdn

I am using PPTP

Put all your mentioned ACL but problem is exit as before.

Any other suggestions

100
Views
0
Helpful
2
Replies
CreatePlease login to create content