Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

bma
New Member

deny vpn traffic in the inside route

I have PIX 515 with 6.0 ver runing with vpn. Ip local pool address is 172.16.2.1 - 172.16.2.254.

I want to deny some ip port access for vpn traffic.

Behind PIX, have a cisco 6509 route with switch. I have a server in the vlan5 with address 10.x.x.x

on the 6509. on the vlan5 interface,i enter a ip access-group 110 in, my access-list 110 like following lines:

access-list 110 permit tcp 172.16.2.0 0.0.0.255 host 10.x.x.x eq 1433

access-list 110 deny tcp 172.16.2.0 0.0.0.255 host 10.x.x.x eq ftp

access-list 110 deny icmp 172.16.2.0 0.0.0.255 any

access-list 110 permit ip any any

I cannot deny any vpn traffic to servers. From vpn client (I use vpn3000 3.5 or 2.5), still can access

servers with ftp or can ping servers. Show access-list 110 on the cisco 6509, only permit ip any any line got hit.

thanks

ben

3 REPLIES

Re: deny vpn traffic in the inside route

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: deny vpn traffic in the inside route

What you are wanting to accomplish can be done but you should use the PIX to do this.

When setting up your VPN on the PIX you have access-list that specify where the ip addresses that make up your VPN pool can go. Use that access-list to fine tune network access for your VPN clients. Make sure you modify the same changes to the NAT0 access-list.

New Member

Re: deny vpn traffic in the inside route

How did you apply the ip access-group to the interface, in or out? it should be out. also, if you want to block ftp access to the server, it's more effective to do this on the pix. the access-list will be similar, but use subnet mask instead of wildcards

107
Views
0
Helpful
3
Replies