I have Cisco PIX 515 firewall. It has been configured for VPN access. The remote desktops connects using Cisco VPN client software. Remote users are able to access the servers residing on the inside segments.
Now I want to restrict their access to perticular ports e.g 80, 21 etc. (Right now they have full access). My question is how can I achieve this ???
Where I should call or bind the access list ???
(Presently I am using one access-list which is used for no nat config and split tunnel config in vpngroup.)
What you can do is add an access list to the inside interface of your pix, and restrict traffic from your servers to the ip netblock range that you assign to your vpn users.
Lets assume you currently are not filtering outbound access (you don't have an ACL attached tothe inside int), and that you are using 192.168.0.0/24 for vpn users, and your servers are using 192.168.1.0/24. 192.168.1.5 is a web server. 192.168.1.4 is a smtp and pop3 mail server.
access-list insideoutblock deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list insideoutblock permit ip any any
The first three lines allow some return traffic from your servers to the vpn users. The 4th line blocks all traffic from server to vpn users that does not match one of the first 3 lines. The 5th line allows your servers to make unhindered connections to the internet in the outbound direction - inbound access to them by internet hosts is still limited by the ACL attached to the outside pix interface
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...