Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

deny vpn traffic in the inside route

I have PIX 515 with 6.0 ver runing with vpn. Ip local pool address is -

I want to deny some ip port access for vpn traffic.

Behind PIX, have a cisco 6509 route with switch. I have a server in the vlan5 with address 10.x.x.x

on the 6509. on the vlan5 interface,i enter a ip access-group 110 in, my access-list 110 like following lines:

access-list 110 permit tcp host 10.x.x.x eq 1433

access-list 110 deny tcp host 10.x.x.x eq ftp

access-list 110 deny icmp any

access-list 110 permit ip any any

I cannot deny any vpn traffic to servers. From vpn client (I use vpn3000 3.5 or 2.5), still can access

servers with ftp or can ping servers. Show access-list 110 on the cisco 6509, only permit ip any any line got hit.




Re: deny vpn traffic in the inside route

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: deny vpn traffic in the inside route

What you are wanting to accomplish can be done but you should use the PIX to do this.

When setting up your VPN on the PIX you have access-list that specify where the ip addresses that make up your VPN pool can go. Use that access-list to fine tune network access for your VPN clients. Make sure you modify the same changes to the NAT0 access-list.

New Member

Re: deny vpn traffic in the inside route

How did you apply the ip access-group to the interface, in or out? it should be out. also, if you want to block ftp access to the server, it's more effective to do this on the pix. the access-list will be similar, but use subnet mask instead of wildcards