cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
7
Replies

Port control for VPN client on the PIX firewall

bma
Level 1
Level 1

Hi,

I have PIX 515 firewall with vpn setup. I want to

control vpn clients security to port lever security.

I try

access-list aclout1 permit tcp 172.16.3.0 255.255.255.0 host x.x.x.x eq 1433,

access-list aclout1 deny tcp 172.16.3.0 255.255.255.0 host x.x.x.x

172.16.3.0 is ip local pool address

x.x.x.x is inside server ip address

on the outside or inside interface, but its not working. Who has any idea, please help?

Thanks

Ben

7 Replies 7

sipulator
Level 1
Level 1

I am also trying to do the same thing. Using the examples from the command reference for vpdn I setup my acls and get the following message when applying them with the nat command:

nat (inside) 0 access-list PPTPAccess

WARNING: access-list protocol or port will not be used.

I have also tried to use the access-group command but cannot get the port filtering to work the way I want.

Are there any other examples of applying port security to vpn users?

I am using PIX 515 for VPN users with a RADIUS server and using ipsec with cypto map.I cannot find any way to apply port security to vpn users on the PIX. I call Cisco, answer is to use VPN concentrator. If use TACACS+ or some RADIUS server, it's fine, but all need hardware invest.

I think that maybe can try to

limit to port security to vpn users on the route after firewall(access-list deny or permit vpn pool address), but need a lot setup here.

macatalano
Level 1
Level 1

If I understand, you're trying to filter traffic from users connecting via client vpn terminating on the pix. Don't think you're going to be able to do it with an acl applied to an interface. "sysopt ipsec connection-permit" allows ipsec traffic to bypass acl's and conduits.

You can do this with a AAA server. The following link talks about this a bit. The bug with the pix not accepting the radius filter-id attribute (mentioned in first article) was fixed with 6.0.

http://www.cisco.com/warp/public/110/pixcryaaa52.shtml

http://www.cisco.com/warp/public/110/atp52.html

Is this what you're after?

Thanks for help. I am using Microsoft 2000 server do RADIUS for AAA, but cannot make work. I checked Cisco documents, TACACS+ is fine, other one suggested to use Vpn concentrator. All needs hardware cost.

ben

regis.thornton
Level 1
Level 1

If you goal is to restrict vpn client access to you internal network, here may be a solution.

Try setting up three different pools (ip local pool client1 172.16.1.1-172.16.1.254, ...client2....172.17.1.1.0, ...client3...172.18.1.0)

In the access-list only permit the specific traffic to be permitted for ipsec.

access-list 101 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

(permit all traffic to be encrypted)

access-list 101 permit tcp 172.17.1.0 255.255.255.0 10.1.1.20 255.255.255.255 eq www

(permit network 172.17.1.0 traffic destined to 10.1.1.20 on port 80 to be encrypted)

access-list 101 permit tcp 172.18.1.0 255.255.255.0 10.1.1.40 255.255.255.255 eq telnet

(permit network 172.18.1.0 traffic destined to 10.1.1.40 on port 23 to be encrypted)

Then create several vpngroups and assign the pools to the different groups.

vpngroup MIS address-pool client1

vpngroup MIS dns-server 10.1.1.11

vpngroup MIS wins-server 10.1.1.10

vpngroup MIS default-domain YOURDOMAIN.COM

vpngroup MIS idle-time 1800

vpngroup MIS password ********

vpngroup ADMIN address-pool client2

vpngroup ADMIN dns-server 10.1.1.11

vpngroup ADMIN wins-server 10.1.1.10

vpngroup ADMIN default-domain YOURDOMAIN.COM

vpngroup ADMIN idle-time 1800

vpngroup ADMIN password ********

etc.

I have not tried this yet but I believe it will work.

Based on what you want to do here's something you can try. (I'm leaving out a lot of IAS details because I just don't remember them. You'll need to read the IAS whitepaper on the M$ site before trying this):

1. Add you're VPN users to different Windows groups based on what they need to access. Group by access requirments.

2. Setup a pix vpngroup for each of these distinct groups of users. You can use a single vpngroup, but to keep things simple you may want to parallel the windows groups you created. You can use different address pools if you like.

3. Write an ACL on the pix for each group of users restricting each group any way you like. Source address will be their address pool.

4. Create a separate MS IAS remote access policy for each of your user groups. Strip down the matching criteria so that the only thing required to match the policy is Windows Group Membership and NAS IP Address. Add one group to each policy & use the PIX inside IP for NAS IP. (You may want to dump the default IAS policy since it may permit anyone that didn't match any other policy.)

5. Setup you PIX for Xauth.

6. Assuming authentication works, in the profile page for each IAS remote access policy tell IAS to return a radius filter-ID a/v pair to the NAS. The filter-ID will have as it's value the name of the ACL on the PIX that you configured for that particular group of users.

7. Connect again and test.

I don't have a sample config of this handy. Please let me know if I need to clarify. Assuming you don't need this kind of control you could just set up an inbound ACL on your first hop inside router too...

It's good idea for ACL setup on the inside router after PIX. I will try it. Thanks

Ben

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: