I have a PIX 515 running PIX IOS 6.2.1 and a Steel Belted radius server. I want to restrict acces from VPN clients (using Cisco VPN client 3.1) to the internal network. For that I configured the users in Steel Belted with a profile stating 'acl=acl-vpn'. On the PIX I created the following access-list:
I thought that the vpn-clients (using addesses in the range 10.1.2.0/24) would only have telnet access to host 10.1.1.1 but they can reach all the machines in the 10.1.1.0/24 segment on all ports. When I do an 'sh uauth' it shows the logged on user and 'access-list acl-vpn' so the access-list is applied but not enforced.
What am I doing wrong? Is that what I want possible at all?
change acl-vpn to deny tcp 10.1.2.0/24 10.1.1.1/32 eq 23, then deny tcp 10.1.1.1/32 10.1.2.0/24 eq 23, then deny tcp any any, then have a client connect, then check the log and "show access-list acl-vpn" to see which line is doing the denying. you may find the addresses in your permit statement need to be reversed.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...