10-08-2003 07:32 AM - edited 02-21-2020 12:48 PM
Hi, we have sold a solution with Pix 515E on the office and PIX 501 (less hassel than sw vpn) on the home offices. We do see that the VPN connection is up all the time. Then there is a security problem if the son or daughter connects their own machine on the Pix 501 for Internet surfing. Is it possible to filter out wich computers can access the VPN tunnel?
10-08-2003 09:11 AM
Yes, you could restric access to a single computer by changing the ACL that controls the tunnel traffic to only allow a specific host.
You would of course need a static inside address for this computer, rather than using the DHCP-pool.
10-08-2003 01:07 PM
Thanks for your reply, can we do this then:
deny 192.168.1.0/24 ip to 10.10.10.0/24 (worknetwork)
permit 192.168.1.80/32 ip to 10.10.10.0/24
will the last rule be stronger than the first that deny everyone?
10-08-2003 11:42 PM
Your permit statement will need to be placed before the deny statement, otherwise .1.80 will be denied with the other machines.
10-09-2003 05:46 AM
Correct, although only the permit statement is needed, as we have - as always - an implicit deny.
Just "access-list xxx permit ip host x.x.x.x y.y.y.y z.z.z.z" will do.
10-09-2003 11:09 AM
Thanks for your reply's its very helpfull. Do you know if its possible to let the pix dhcpserver reserve a ip addresse for a specific mac adresse? If users are using laptops that they bring from work to home it is very unhandy to change from dhcp to fixed ip addresse.
10-17-2003 06:11 AM
No, I don't think that is possible - like on a Windows DHCP-server.
What you could do is install a software on the laptop that makes moving btwn networks less of a hassle. There are many available; IP Changer, IP Switcher, MultiNetwork Manager - to name a few.
IBM Laptops comes with such a tool called IBM Access Connections.
10-16-2003 06:50 AM
I am in the process of setting up a VPN process exactly like this. The Software VPN client is working good right now to our VPN3005 concentrator, but I am installing IP Phones out in the field. The HW solution is the only way to go then.
I was concerned about the "family" access to the VPN, but it looks like the access-list will work.
MY question to you is, did you set up different VPN keys for each remote? I am wondering if it would be easier for me to use the VPN 3005 instead of the PIX... The PIX is more powerful, but I only have 30 remotes.
Thanks.
12-03-2003 01:31 PM
If this VPN tunnel is up all the time, couldn't you just assign a static IP address to the computer which is supposed to access the tunnel and restrict the NAT 0 statement to that IP address only instead of the whole remote network, and do a mirror image on the corporate-side FW to allow traffic for that one computer to return?
Home network side PIX
access-list inside_outbound_nat0_acl permit ip 172.16.1.5 255.255.255.0 192.168.1.0 255.255.255.0
Corporate side PIX
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.5 255.255.255.0
Just curious.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: