03-19-2006 02:12 AM - edited 02-20-2020 09:36 PM
pix 515 version 6.3
Vpdn enable from outsite for accessing only one inside server as www. These are the statments:
access-list 103 permit tcp host 172.20.1.19 eq www any
access-list 103 permit ip host 172.20.1.19 any
nat (inside) 0 access-list 103
Vpn is working fine and also accessing 19 server including UNC patth.
Now want to restrict UNC path access.
Whenever i remove ip access-list then i cannot able to access as www to 19 server
Any one help
03-19-2006 02:59 PM
no-nat acl and crypto acl cannot be used to restrict remote vpn access down to the protocol/port level.
to achieve this objective, the commnad "sysopt connection permit-ipsec" needs to be disabled first, and then configure inbound acl. with the command "sysopt connection permit-ipsec" disabled, all vpn traffic will be examined by pix against the inbound acl.
e.g.
no sysopt connection permit-ipsec
access-list 111 permit tcp host
access-group 111 in interface outside
please be noticed that all vpn related traffic will be affected by disabling the commnad "sysopt connection permit-ipsec", in other words, the inbound acl needs to include all vpn traffic.
03-19-2006 10:35 PM
I am using PPTP
Put all your mentioned ACL but problem is exit as before.
Any other suggestions
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: