Cisco Support Community
Community Member

PIX VPN - restricting access to certain destinations

I have a PIX with a dynamic cryptomap for remote VPN clients. Does anyone know the best method to restrict each vpngroup to access only certain internal destination IP addresses? thanks.


Re: PIX VPN - restricting access to certain destinations

If each vpngroup has a unique local ip pool, you could write ACLs blocking them and apply them inbound to the inside int:

netadmins ip local pool -

vendors ip local pool -

access-list insideint deny xxxxxx xxxxxx

access-list insideint permit ip any any

this only blocks return traffic from restricted servers to vendors. A evil vendor could still attack servers with connectionless protocols like UDP - they could syslog bomb a server, or send snmp commands, etc.

If you could group all of your servers within a netblock, you could write an acl for a crypto map, and come up wtih a vpn setup that would only allow them to communicate with that netblock. I can't think of any other methods.

Community Member

Re: PIX VPN - restricting access to certain destinations

Why not run a split tunnel configuration, with only the hosts you want to allow them access to in the ACL? Each VPN group can have it's own split-tunnel ACL, so different groups will get different access.

Something like:

vpngroup GROUP1 address-pool GROUP1-ADDRESS-POOL

vpngroup GROUP1 dns-server A.A.A.A

vpngroup GROUP1 wins-server B.B.B.B

vpngroup GROUP1 default-domain

vpngroup GROUP1 split-tunnel GROUP1-SPLIT-TUNNEL-LIST

vpngroup GROUP1 idle-time 1800

vpngroup GROUP1 password ********


CreatePlease to create content