cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
2
Replies

Pix VPN Restriction on Ports

mlawson
Level 1
Level 1

It is my understanding that in order to restrict vpn connection either site-to-site or client via ports the "sysopt connection permit ipsec" command needs to be disabled and the control then comes from the access-list that is inbound on the outside interface.

Here is my scenario: 3 site to site and client vpn tunnels

Site 1 needs access to all internal hosts on 192.168.50.0 for port 5900 and full access to 192.168.50.135

Site 2 needs full access to 192.168.50.205, 192.168.50.166, 192.168.50.204 host only

Site 3 needs full access to 192.168.50.5 host only

Here is my config:

access-list acl_outside permit tcp any host a.a.a.a eq https -- this will be a static translation

access-list acl_outside permit tcp any host a.a.a.a eq 3389 -- this will be a static translation

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.10.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.220.0 255.255.255.0

access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0 eq 5900

access-list acl_outside permit ip 192.168.50.135 255.255.255.255 172.20.20.0 255.255.255.0

access-list acl_outside permit ip 192.168.50.205 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.204 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.166 255.255.255.255 150.2.0.0 255.255.0.0

access-list acl_outside permit ip 192.168.50.5 255.255.255.255 10.99.2.0 255.255.0.0

access-list acl_outside permit tcp 192.168.50.135 255.255.255.255 192.168.60.0 255.255.255.0 eq 3389

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 150.2.0.0 255.255.0.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 10.99.2.0 255.255.0.0

ip local pool clientvpnpool 192.168.60.1-192.168.60.50

nat (inside) 0 access-list nonat

access-group acl_outside in interface outside

no sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set peer x.x.x.x -- Site 1 192.168.10.0 and 192.168.220.0 and 172.20.20.0 Network

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 set peer y.y.y.y -- Site 2 150.2.0.0 Network

crypto map mymap 20 set transform-set myset

crypto map mymap 30 ipsec-isakmp

crypto map mymap 30 set per z.z.z.z -- Site 3 10.99.2.0 Network

crypto map mymap 40 ipsec-isakmp dynamic dynmap -- 192.168.60.0 Client VPN Network

crytpo map mymap interface outside

Will this work for my scenarion?

2 Replies 2

acomiskey
Level 10
Level 10

Looks like a lot of your statements are backwards. If the remote network is 192.168.10.0 and the local is 192.168.50.0 then they should look like this...

access-list acl_outside permit tcp 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 eq 5900

Yes you are correct I do have them backwards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: