access-list for vpdn

rezaul.karim · ‎03-19-2006

pix 515 version 6.3

Vpdn enable from outsite for accessing only one inside server as www. These are the statments:

access-list 103 permit tcp host 172.20.1.19 eq www any

access-list 103 permit ip host 172.20.1.19 any

nat (inside) 0 access-list 103

Vpn is working fine and also accessing 19 server including UNC patth.

Now want to restrict UNC path access.

Whenever i remove ip access-list then i cannot able to access as www to 19 server

Any one help

jackko · ‎03-19-2006

no-nat acl and crypto acl cannot be used to restrict remote vpn access down to the protocol/port level.

to achieve this objective, the commnad "sysopt connection permit-ipsec" needs to be disabled first, and then configure inbound acl. with the command "sysopt connection permit-ipsec" disabled, all vpn traffic will be examined by pix against the inbound acl.

e.g.

no sysopt connection permit-ipsec

access-list 111 permit tcp host host 172.20.1.19 eq www

access-group 111 in interface outside

please be noticed that all vpn related traffic will be affected by disabling the commnad "sysopt connection permit-ipsec", in other words, the inbound acl needs to include all vpn traffic.

rezaul.karim · ‎03-19-2006

I am using PPTP

Put all your mentioned ACL but problem is exit as before.

Any other suggestions