Re: PIX VPN - restricting access to certain destinations

mamoss · ‎08-20-2003

I have a PIX with a dynamic cryptomap for remote VPN clients. Does anyone know the best method to restrict each vpngroup to access only certain internal destination IP addresses? thanks.

mostiguy · ‎08-20-2003

If each vpngroup has a unique local ip pool, you could write ACLs blocking them and apply them inbound to the inside int:

netadmins ip local pool - 192.168.0.0/28

vendors ip local pool - 192.168.0.16/28

access-list insideint deny xxxxxx xxxxxx 192.168.0.16 255.255.255.240

access-list insideint permit ip any any

this only blocks return traffic from restricted servers to vendors. A evil vendor could still attack servers with connectionless protocols like UDP - they could syslog bomb a server, or send snmp commands, etc.

If you could group all of your servers within a netblock, you could write an acl for a crypto map, and come up wtih a vpn setup that would only allow them to communicate with that netblock. I can't think of any other methods.

mplant · ‎08-20-2003

Why not run a split tunnel configuration, with only the hosts you want to allow them access to in the ACL? Each VPN group can have it's own split-tunnel ACL, so different groups will get different access.

Something like:

vpngroup GROUP1 address-pool GROUP1-ADDRESS-POOL

vpngroup GROUP1 dns-server A.A.A.A

vpngroup GROUP1 wins-server B.B.B.B

vpngroup GROUP1 default-domain domain.com

vpngroup GROUP1 split-tunnel GROUP1-SPLIT-TUNNEL-LIST

vpngroup GROUP1 idle-time 1800

vpngroup GROUP1 password ********

Mike.