Complete access to all PIX interfaces

jmondaca · ‎04-23-2003

I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have configured the firewall to permit a VPN connection using the following conf

access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0

nat (dmz2) 0 access-list 100

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esmp-md5-hamc

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

* and the configuration of the vpngroup and isakmp

The problem is that I only want the vpn client access my x.x.x.x network in ther the dmz2 but the VPN client can access all the computers in the internal, dmz1, dmz3, etc (all the interfaces).

Is there any way to limit this access to specific intefaces or much better to specific machines.

Thanks in advance.

jasobrown · ‎04-23-2003

That seems kind of strange that you can hit the other interfaces. I would be interested in seeing the Nat statments for those interfaces.

But to answer your question there are a couple ways you can do it. Remove "sysopt connection permit-ipsec" and add access-list statements to your outside interface acl for the VPN users or use downloadable acl's if you have the resources to do so.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008010a206.shtml#xauth_per_user

Regards,

jmondaca · ‎04-24-2003

I have nat (inteface) 1 0 0 for all the interfaces but if I am allowing the VPN user access to a lower security interface (dmz) why the VPN user can access the higher interface (inside) and all others.

Thank you.